Fraudsters Moving on from Stored Data to Thefts of Data in Transit

Merchants are getting the message that they should not store credit and debit card data, but that's turning into yesterday's issue, according to Chicago-based Trustwave, one of the big card-industry security consultancies. In a report released on Monday, Trustwave says that computer hackers may still be able to steal card data from a merchant even if the merchant uses secure payment-processing software. The report summarizes findings from Trustwave's investigations of 443 cardholder data compromises from 2001 through Oct. 29. The good news is that this year breaches involving theft of stored data are down about 10%, Colin Sheppard, forensics practice manager at Trustwave, tells Digital Transactions News. Industry security executives for years have reported that many older point-of-sale payment-processing applications store magnetic-stripe, or track, data, and even PINs, often without the merchant knowing it. The card networks, particularly Visa Inc. with its Payment Application Best Practices (PABP) guidelines for secure software, have responded by outlawing the use of insecure software. “[Merchants] no longer are uneducated when it comes to that,” Sheppard says. “We are really seeing people upgrade their systems.” Improperly stored data is still a big problem?about 80% of the cases Trustwave has investigated worldwide involved it in some manner. But while more secure storage is necessary, it's not sufficient to prevent data theft. Hackers are now homing in on the fraction of a second during the transaction process when exposed data are transmitted. An example is when hackers place so-called malware onto a merchant's system that steals data from a computer's Random Access Memory (RAM), also called volatile memory. According to Sheppard, the nature of existing computers and RAM is such that track data in volatile memory are unencrypted and therefore subject to compromise. “There is always going to be a short amount of time when data is unencrypted with volatile memory,” he says. “Attackers know this.” The first step in capturing that data in transit is to place RAM-parsing malware onto a card-processing system. The malware captures card data as the computer uses its RAM to interact with the processing software. The information is briefly in unencrypted, plain-text form, and even if it isn't written to disk or stored, it can still be stolen. “The possibility of parsing track data from RAM has existed for years, but only recently has Trustwave discovered real-world examples of its use,” the report says. It goes on to say that “what's perhaps most unsettling about the trend” is that theft can happen even if the processing software meets the requirements of PABP, which is now known as the Payment Application Data-Security Standard, or PA-DSS. Other malware variants include so-called packet sniffers and key-logging software that capture unencrypted/plain text track data as they enter or leave a computer system. Sheppard would not discuss specific cases or say how many thefts Trustwave has found that involved data in transit. The biggest card breach ever, the hack at retailer TJX Cos. Inc., included the capture of card data flowing over a wireless corporate network, but TJX also had stored numbers improperly and wasn't in compliance with the Payment Card industry Data-Security Standard, or PCI, at the time. Federal authorities have charged a dozen people in connection with the TJX and other data thefts and some have already struck plea agreements (Digital Transactions News, Aug. 6). The failure of many merchants to put computer firewalls in place and to fortify their Internet-facing systems makes the placement of malware onto their systems easieraccording to Trustwave. About 75% of the compromises Trustwave investigated in North America included a failure to meet PCI's Section 10, which addresses remote access to network resources and cardholder data. The most insecure merchants are small (so-called Level 4 merchants based on their transaction volumes) physical retailers that aren't sophisticated technologically and use third parties to manage their security systems, according to Sheppard. In North America, 74% of the compromises Trustwave has investigated involved brick-and-mortar merchants; 56% of the merchants were in food service such as restaurants. Some 72% of the North American compromises involved POS software. In 66% of the cases, third parties were responsible for payment-system administration. Common PCI failures among North American merchants included remote access, which was involved in 17% of compromises that Trustwave investigated; so-called back-door or “Trojan” attacks, also 17%, and perimeter security such as missing or weak firewalls, 15%. The lesson is that only full PCI compliance, not just strong software that doesn't store track or PIN data, will minimize the chances of a successful hack, according to Sheppard. “In the last couple years we've been concentrating on meeting stored-data [rules], but we've moved beyond that,” he says. “The criminals are trying to stay a step ahead.”