A growing threat
THE warning from the US Department of Homeland Security last month was grim.
More than 1,000 US retailers could be infected with Backoff, malicious software that attacks their Windows-based point-of-sales systems and allows hackers to steal financial information about their customers.
Among the most recent high-profile victims was United Parcel Service, which apologized to customers last month after it found infected machines in 51 stores that enabled hackers to take their names, addresses, e-mail addresses and credit card information.
Last year, the retail giant Target was hit by a similar breach. The company disclosed that some 40 million credit card accounts were compromised, and that hackers stole personal information, including names, phone numbers, and e-mail and mailing addresses, from as many as 70 million customers.
The security breach cost the third largest retailer in the United States dearly, both in terms of lost sales and damaged reputation. Last week, the company said second quarter earnings dropped 61.7 percent.
Other companies that have been hit are Nieman Marcus and P.F. Chang’s, but even smaller retail outfits are at risk.
The US government first warned about Backoff in July and urged retailers both large and small to scan their POS systems, although it acknowledged that most antivirus software at the time could not even detect the program.
In most instances, hackers gain entry into a retailer’s POS system through remote desktop access software. From there, they are able to introduce memory-scraping software into the POS systems. Once in place, the malicious software can grab customer credit card data from magnetic stipe card swipes. Backoff also has key-logging features so that even if a cashier enters a credit card number manually, that data can still be captured.
An infected system can send the stolen data back to a host controlled by the hackers once every minute.
The US government advisory recommends several steps to strengthen security on remote desktop systems, networks and the POS systems to deal with the Backoff threat. It’s advice that local retailers may wish to adopt, too—especially the ones who are still running their POS systems on Windows XP.
For remote data access, the US advisory suggests:
• Configure the account lockout settings to lock a user account after a period of time or a specified number of failed login attempts. This prevents unlimited unauthorized attempts to login whether from an unauthorized user or via automated attack types like brute force.
• Limit the number of users and workstation who can log in using Remote Desktop.
• Use firewalls (both software and hardware where available) to restrict access to remote desktop listening ports.
• Change the default Remote Desktop listening port.
• Define complex password parameters. Configuring an expiration time and password length and complexity can decrease the amount of time in which a successful attack can occur.
• Require two-factor authentication for remote desktop access.
• Install a Remote Desktop Gateway to restrict access.
• Add an extra layer of authentication and encryption by tunneling your Remote Desktop through IPSec, SSH or SSL.
• Require 2FA when accessing payment processing networks. Even if a virtual private network is used, it is important that 2FA is implemented to help mitigate keylogger or credential dumping
• Limit administrative privileges for users and applications.
• Periodically review systems for unknown and dormant users.
For network security, it suggests that companies:
• Review firewall configurations and ensure that only allowed ports, services and Internet protocol (IP) addresses are communicating with your network. This is especially critical for outbound firewall rules in which compromised entities allow ports to communicate to any IP address on the Internet.
• Segregate payment processing networks from other networks.
• Apply access control lists (ACLs) on the router configuration to limit unauthorized traffic to
• payment processing networks.
• Create strict ACLs segmenting public-facing systems and back-end database systems that house payment card data.
• Implement data leakage prevention or detection tools to detect and help prevent data exfiltration.
• Implement tools to detect anomalous network traffic and anomalous behavior by legitimate users.
• On the POS, retailers should:
• Implement hardware-based point-to-point encryption.
• Install Payment Application Data Security Standard-compliant payment applications.
• Deploy the latest version of an operating system and ensure it is up to date with security patches, anti-virus software, file integrity monitoring and a host-based intrusion-detection system.
• Assign a strong password to security solutions to prevent application modification. Use two-
• factor authentication (2FA) where feasible.
• Perform a binary or checksum comparison to ensure unauthorized files are not installed.