POS theft detection is difficult

Mike Patterson speaks out
Learn more about Mike Patterson...
Archive

Aironet

Competitive Lab Tests

Tech Forums

How-to Tutorials

CCIE Gossip

How POS thefts infiltrate

POS thefts are a form of targeted attack because the assailant observes the cashier's register and by paying attention to the way the interface behaves it allows the assailant to determine the operating system behind the buttons being pushed on the screen. If it's running on a Microsoft Windows operating system it could be an ideal target.

The next step would be to take notes on the name tags of the managers within the store.

Then the theft mastermind can search for these store managers on social networking sites such as LinkedIn and Facebook.

After trying to socially connect with these store managers or by simply guessing at their email addresses, a phishing attack is often one of the preferred methods for trying to gain an initial foothold inside the retailer.

The reason many phishing attacks can be so effective is because "persistence pays." The targeted store managers may not click on the first ten emails, but they haven't yet received all 100 from different people disguised as someone they know, eventually a store manager will be taken off-guard and click.

Once the malware is inside, it could be making an encrypted connection right through the firewall and out to a host on the Internet for further instructions. If the end user of the infected host has the right permissions, the malware might be able to make connections to servers holding sensitive information. In the case of a POS attack, the goal is to find the server with the addresses of all the registers. If it can be harvested, the malware can then attempt to move laterally and infect the point of sale systems.

POS theft tools

Once the POS device is infected, it may download a compressed file like those containing an executable that performs memory scrapping. On Windows operating systems a REGEX search is often utilized.

A Visa data security alert posted in April of 2013 states:

"Since January 2013, Visa has seen an increase in network intrusions involving grocery merchants. Once inside a merchant's network, hackers install memory parsing malware on Windows based cash register systems or back of house (BOH) servers to extract full magnetic-stripe data.

"The malware is configured to 'hook' into certain payment application binaries. These binaries are responsible for processing authorization data, which includes full magnetic-stripe data. When authorization data is processed, the payment application decrypts the transaction on the cash register system or BOH server and stores the authorization data in random access memory (RAM). The data must be decrypted for the authorization to be completed, so hackers are accessing full track data when it is stored in RAM and using malware such as memory parsers to steal it."

How POS thieves sell credit card numbers

POS thieves sell stolen credit cards via the Internet:

Source: Mike Patterson

How to defend against POS attacks

Antivirus software installed on POS systems usually provide little protection from the malware which scrapes the memory of the systems. This is because the malware has been compiled to be unique and has never been seen by up-to-date signature matching firewalls and Antivirus software.

According to Visa, one of the best ways to avoid POS infiltrations is to:

"Implement hardware-based point-to-point encryption. Visa recommends EMV-enabled PIN-entry devices or other credit-only accepting devices that have Secure Reading and Exchange of Data (SRED) cap abilities. SRED-approved devices can be found at the Payment Card Industry Security Standards website."

POS infection traffic patterns

The traffic created by some POS infections is often times compressed, encrypted and on typical TCP/UDP ports.

The uploads to the Internet could be made during regular business hours by a host who won't have any problems making connections right past even the latest next generation firewall.

How to discover POS infections

Since Antivirus solutions are usually ineffective at uncovering POS infection, some admins believe that evidence of malice can be uncovered if the system logs are regularly reviewed.

However, Visa also stated:

"Hackers are also using anti-forensic techniques such as tampering with or deleting security event logs, using strong encryption or modifying security applications (e.g., whitelist malware files) to avoid detection."

To uncover POS malware, it helps to monitor all systems that make up POS traffic patterns. It should be noted how the applications used to process new orders communicate with the main servers.

Characteristics to be mindful of include:

How large and frequent are the traffic patterns?

What ports do they use, are connections encrypted?

How does a busy season like Christmas or Valentines day impact traffic?

Loaded with the above notes or possibly a saved historical behavior baseline that doesn't include the malware, we can begin to sleuth for signs that are indicative of some type of contagion. One of the best technologies to use when monitoring network communication behaviors is NetFlow or the IETF standard: IPFIX.

Levi Gundert - Cisco threat research, analysis and communications (TRAC):

"We really like NetFlow.... from a storage perspective, it's a little bit more scalable for your devices to offload-it into a database for collection and analysis vs. a full packet capture.

"It's also very good for sort of profiling general activities on the network. If you can do one to one sampling of NetFlow meaning you are capturing the header meta data of every packet traversing the network device then you are really going to have some very useful insight into what is happening on your network."

Cisco POS threat detection

Although there is no one solution acting as a panacea for uncovering all types of POS attacks, NetFlow should be part of your:

Cisco cyber threat solution

Here are some example behaviors to monitor on machines with access to POS data:

Are there any strange DNS requests for domains that meet certain criteria?

Host reputation: Are the machines communicating with known Internet bots?

Are there any occasional Internet connections where the POS host does not receive a response and how often does it occur?

On encrypted connections to Internet hosts, is the upload greater than the download byte volume? What is the pattern?

Even with lots of events matching the above behavior, a certain amount of false positives is expected. This is why it is smart to build a Threat Index (TI) for all internal hosts.

Threat index by violator

The TI shown below is a moving value:

Source: Mike Patterson

The threat index is a moving value

The idea behind the Threat Index for each host is that they rise for an individual host each time it participates in a behavior that is suspicious. Depending on the type of behavior (e.g. scanning the network), the event may increase the index by a higher value than others (e.g. receiving an ICMP redirect). If the Threat Index of a host hits a threshold, a notification can be triggered.

Keep in mind that the Threat Index is a moving value because individual events age out over time. For this reason, an IP address must reach the Threat Index threshold within a configurable window of say 14 days because the same events that increased the value are also aging out and as a result, the index can also be reduced.

Investigating POS threats

When you go looking for strange behaviors and you need to use a solution providing insight everywhere in the network, many believe that there is no better solution available today than NetFlow/IPFIX. Since it is generated by routers and switches, the POS malware can't easily delete it.

When flow data is combined with a scalable flow reporting solution, the forensic investigation value is second to none.

Scalable NetFlow Analyzer solutions which can crunch data collected on thousands of systems involved with the POS process can provide the filtering and speed of delivery desired when you are under the gun and need answers fast.

Palo Alto Networks: Better POS security

Mike Patterson's other blog stories:

Dell solves complex business problems

Enterasys Secure Networks

Mike Patterson speaks out

Systrax High-Impact Network Monitoring

TMCnet Advanced NetFlow Traffic Analysis