Retail Woes

We have all heard about the recent Target breach, and read about the many retail breaches of the past - and wondered why they keep happening? While we don't yet know what happened, maybe this article will help illustrate the problem and a solution.

Retail systems generally involve "hub and spoke" architectures. The spokes are networked systems such as Point of Sale (POS), and the hub is a data collection and processing facility. The POS calculates cash and credit-card transactions and negotiates approvals through a software exchange of card data with financial "clearing" systems. The transactions are encrypted at the POS and the key is a combination of the PIN (cash) or CVV (credit) + a certain number and configuration of the card numbers, and a private key provided by the financial service via a Hardware Service Module (HSM) that negotiates the communications between the POS and the clearing authority. Once authorization for a purchase is made, the POS data is transported (again in an encrypted form) to the retailer's data collection and processing facility.

The data that is transported to the collection and processing facility is usually encrypted in transit, and contains separate elements of the card number and the encrypted PIN or CVV. That data is then stored for various reasons, including data mining for marketing statistics purposes (sometimes to sell to other companies), as well as for secondary clearing and settlement with banks or their interval financial processing companies. Unfortunately that data is often stored in several disparate locations according to its utility to the retailer, and is often not encrypted where it is stored (though the PIN and/or CVV are usually encrypted).

Payment card handling standards and regulations currently ONLY require the data to be encrypted in transit - not where it is stored. This is fundamentally the reason that the most notorious data breaches have had such large scale impacts - the attackers went after the data stores rather than the POS. The volumes of unencrypted data in the stores was far more lucrative and easier to compile. How attackers get to that data though involves malware and APT activities.

There are three types of malware usually involved in retail data breaches:

  1. 1) Phishing emails with malicious droppers/downloaders to infect systems with backdoor trojans, enabling remote access and exploitation of networked corporate systems
  2. 2) "PUPs" (potentially unwanted programs) which are usually administrative tools, sometimes legitimate, that allow password hash collection or cracking, Active Directory or LDAP browsing, SQL server interaction, RAR/ZIP packaging, Simple Mail transport, Proxy service configuration, and reconnaissance tools such as FPORT - to assist the attackers in their exploits of the networked systems by enumerating systems by type (POS, DB, AD, etc.), infecting those systems according to need, and establishing data harvesting and exfiltration methods.
  3. 3) Harvesters that are custom utilities programmed to perform needed actions to harvest card data (RAM Scrapers such as DexterPOS malware), PIN/CVVs (Man in the Middle HSM collector proxies), or bulk data (SQL miners that integrate network, database, and administrative functions) - that provide persistent access, automated harvesting, and programmed exfiltration of data.

The malware described above provide compromise, exploitation, and persistent access to retail systems. This is the pattern of activities common to "advanced (or targeted) persistent threats" as it relates to retail environments. It should be noted that sometimes web services compromises take the place of phishing emails, and corporate systems usually have all the needed tools to facilitate what PUPs offer attackers. Sometimes attackers simply can make use of internet-accessible "administrative backdoors" such as RDP, VNC, or SSH accesses that are unfortunately common network vulnerabilities (in all corporate systems). Our investigations in retail data breaches has consistently identified these types of malware tools, tactics and procedures.

The reason that these breaches have occurred is that the industry approach to identifying malware is broken. Malware is part of the toolkit employed by APT actors. It facilitates the activities and accordingly is a critical indicator of attacks.

Antivirus, White/Blacklist, in-flight recording, virtual machine reverse engineering, and etc. are currently the tools available to retailers to assist in their defenses against constant APT attacks -- but they don't work. There are fundamentally two reasons: (1) they are AFTER the fact, relying upon something someone else has seen (A/V and W/B lists) or resulting from analysis (IFR/VM); and (2) they are too "heavy" to serve the needs of the POS environment - as they require frequent signature updates or a human interaction.

Antivirus and White/Black list success depends upon either a signature or a heuristic match to an index of known patterns - from PAST submissions. Accordingly the phishing emails that commonly employ Zero days or polymorphism to obfuscate recognizable signatures, cannot be detected by Antivirus. Most of today's malware also employs anti-VM or RE analytics tools, making them similarly undetectable by RE/VM. IFR and related Incident Responder tools are by their nature not defensive - they are reactive or investigative.

Secondly, POS systems are stripped down and often out-of-date operating systems (usually Windows XP or NT, sometimes even DOS). They have limited RAM and almost no available storage; so voluminous signature files that require frequent updates simply cannot be supported by POS.

Where that leaves retail environments is the need for a solution that will recognize malware based upon its properties, in a lightweight and fast functional format. Cylance Infinity platform has that capability. Using an incredibly lightweight and extremely fast mathematical algorithm for determining maliciousness, Infinity technology can detect advanced and standard malware before the world has even seen it before. Truly predictive. This capability is what retail environments need desperately; the information stored in retail contains consumer identity and financial data that has real economic value and corresponding impact. Identifying and preventing constantly evolving (and evasive) compromise malware, man in the middle data harvesters, and data exfiltrators - simply cannot be overlooked.

The risks and threats described above are not unique to retail, they can be applied in any teller-related environment including financial services, insurance, healthcare and etc. However, retail has the most risk of economic and financial loss to affect the market. Two things need to change to help retail limit these risks:

First - payment card industry standards and regulations need to enforce a requirement to encrypt data wherever it is stored in retail or associated systems. There will still be some risk of RAM scrapers collecting transactional data, but at least the huge volumes of data that have been collected in past events from accessible databases will be prevented in future attacks (that will undoubtedly continue to occur).

Second - retail needs to be provided tools to recognize and prevent malware. Those tools must be suited to their needs though. You can't teach an old dog new tricks, but you can put a collar on it... Cylance Infinity tools (V and soon to be released PROTECT) are examples of the capabilities to address retail cyber threats. By applying math rather than signatures, malware can be identified even if it has never been seen before.

Third (and certainly more long term) – the entire US retailing/credit/banking system must consider moving to chip and PIN card system that the European and world markets have largely moved to. Chip and PIN systems prevent these types of man-in-the-middle attacks because it encrypts the data secured from the card all the way through the payment processing backend. While nothing is unbreakable, it's a stronger solution that needs to be considered.

Retail (and associated payment card) breaches will continue to be pursued by attackers, they are simply too lucrative to ignore. In today's retail systems architecture they are also too easy to accomplish.