Erik Rasmussen of the U.S. Secret Service says attacks on payments systems have exploded in the past two years. But banking institutions and merchants continually fail to address the greatest security gap - the point of sale. As a special agent within the Cyber Intelligence Section of the Secret Service's Criminal Investigative Division, Rasmussen has investigated card fraud since 2004.
Card skimming is a problem, but it's not the only one, he says. Currently, most card fraud incidents stem from point-of-sale hacks, not skimming, says Rasmussen, who co-hosted The Faces of Fraud: An Inside Look at the Fraudsters and Their Schemes with BankInfoSecurity at RSA Conference 2012, held in San Francisco Feb. 27-March 2. "The No.1 way criminals are getting in is through remote access to the backhouse server," Rasmussen said.
POS hacks include the type that impacted customers of Michaels and Save Mart in 2011, as well as numerous self-service gasoline pump merchants since 2010.
The ubiquity of the Windows operating system is, in part, to blame. "And the number of points in the transaction chain also open cards to risk," he said. "Hackers have gotten around encryption, in some cases."
But hackers also have learned how to exploit vulnerabilities posed by a commonly used OS. Malware is the attacker; Windows is the target.
"POS systems need remote access for systems repair," Rasmussen said. "But if you're a retailer that is using all the defaults, for passwords, as an example, you can see how easy it is to compromise."
Malware is installed through a backend attack or a malicious link clicked and opened by an employee with administrative privileges. From there, fraudsters have three options: Establish an auto-export functionality through an FTP server embedded in the malware; e-mail data out via e-mail accounts embedded in the malware; or transfer data on a USB drive, if an insider is involved.
Nearly half of the card breaches investigated by the Secret Service involve malware, and the retail, food and beverage, and hospitality sectors are the most vulnerable. "Once the hackers get into the system, it's all become too easy for them."
Pointing to the $20 million card breach that recently hit 100 Subway locations and exposed 100,000 cardholders, Rasmussen described how easy it was for four Romanians to tap Subway's network and exploit the system for more than a year before striking. "They got in through a remote desktop, and they used keystroke logging to collect the card details."
Card issuers, acquirers, merchants, consumers and card brands were affected. More collaboration and information sharing among the payments parties would have helped.
"For Subway, beyond the humiliation of being hacked, they also got dinged for not complying with PCI [the Payment Card Industry Data Security Standard]," Rasmussen said. "Payments systems attacks are not going away; in fact, we expect them to grow, as more payments options, through PayPal and Google, for instance, hit the market."
The best way to mitigate risks: increase information-sharing and collaboration with law enforcement.
Tips for Banking Institutions
Rasmussen says financial institutions should focus on risk mitigation across numerous channels, including credit and debit.
For what should institutions be on the lookout?
Insider Threats. Have employees knowingly exposed or stolen cardholder or account information, or are employees vulnerable to socially engineered schemes, such as phishing?
Systems Vulnerabilities. Can your system be remotely accessed? If so, by whom, and have default passwords and logins been updated and regularly changed?
What can institutions and merchants do to mitigate risk?
Involve Law Enforcement. Investigators can install sniffers to monitor incoming and outgoing traffic, as well as images, to identify malware and the destinations to which stolen data is sent.
Outside Forensics. Merchants should hire third-party forensics firms to evaluate their networks and systems, and then provide information to the Secret Service when breaches are discovered.
Stay Current. Regular risk assessments are the best ways to stay abreast of emerging fraud schemes.
Improve Education. Employees and customers need to know what the latest threats are and how to mitigate the risks those threats pose.