Digital Transactions Authoritative, insightful and timely information for payments professionals
By Jane Adler
The payments industry has made great strides in the area of security, but malicious computer code is still an ever-evolving threat to processors and merchants.
For a restaurant manager, Gary Sipp knows a whole lot about malicious computer software, usually referred to as malware. He talks easily about firewalls, Trojans, and compliance standards. He’s familiar with all the latest attack methods, even the ZeuS Trojan that targets online bank accounts.
But Sipp didn’t aim to become an expert on malware. He learned about it the hard way when the restaurant he runs in Huntsville, Texas, was the victim of a cyber attack.
Last July, someone remotely installed malware somewhere in the restaurant’s payments or processing chain, though authorities still don’t know exactly how or where. The malware, linked to a skimming device, apparently grabbed credit card information before processing and data encryption were complete.
The result: hundreds of files were stolen, and, according to police reports, at least 200 people reported that their bank-account information had been compromised after suspicious transactions started showing up on their statements. Other stores in the area were hit too.
“We got stung,” says Sipp. The restaurant didn’t lose any money on the transactions, but Sipp did lose business because of unflattering press reports that hinted that the problem might have been caused by the restaurant’s computers.
Investigators say that wasn’t the case. And besides, Sipp prides himself on being aggressive when it comes to rooting out computer viruses. He paid $2,000 at each of his two restaurants to make sure the computer systems had the latest security systems. He also pays a $200 quarterly fee to his card processor for regular system scans to stay in compliance with industry security standards.
Sipp thinks the cyber thieves have just gotten really sophisticated and that malware is hard to find nowadays.
“The professionals told us we couldn’t have done anything to prevent this,” he says.
Falling Short
The malware incident at Sipp’s Mexican restaurant in Huntsville will never go down as the biggest cyber heist on record, but it is symptomatic of the type of theft becoming more common in electronic payments.
As the attacks grow in number, they also are getting harder to detect. Malware creators are designing customized software. Thieves can develop their own viruses by visiting Web sites to select malware features from a drop-down menu. Cyber thieves are using automated systems to install malware and collect payments data in real time.
Crooks also are looking for new ways to enter the payments system. Instead of direct attacks on the control components of a corporate computer system, the thieves are targeting end-user PCs, such as those for employees. The thieves gain entrance to the system through the PC and then search for valuable card and related payment data.
At the same time, merchants and processors alike are trying to stay one step ahead of the crooks. Retailers and their financial partners aim to comply with safety measures developed by the PCI Security Standards Council, though efforts often fall short.
“Malware is still on the rise,” says Nicholas Percoco, senior vice president at Trustwave Holdings Inc., a Chicago-based firm that investigates data breaches through its SpiderLabs division, headed by Percoco. “The criminals are always trying to find system vulnerabilities. That’s their job.”
It’s hard to know the total number of dollars lost each year due to data breaches, experts say. But indicators suggest the market for stolen card data is huge.
– In 2010, the U.S. Secret Service arrested more than 1,200 suspects for cyber crimes involving more than $500 million in fraud losses.
– In its August Cost of Cyber Crime Study, The Ponemon Institute LLC research firm says that the median annualized cost of cyber crime was $5.9 million among sampled companies.
– A recent study from LexisNexis Risk Solutions, conducted by Javelin Strategy & Research, says merchants have suffered more than $100 billion in losses from fraudulent transactions in the last year. The study also says the true cost of a $100 fraudulent transaction for a retailer is about $230 when all resulting expenses are tallied up. The study predicts an increase in breaches at the merchant level in 2011.
– A September study by Aite Group LLC estimates that losses from business-account takeovers by malware at $210 million this year, rising to $371 million by 2015. The same study projects 25 million new strains of malware will have been released this year. The annual malware production number is on pace now to grow to 87 million by the end of 2015.
Costly Damage
The biggest targets of cyber crime are located in the United States, Canada, Latin America, and parts of Europe, experts say. Though investigators suspect many attacks originate in Eastern Europe, Russia, and Asia, the attacks can come from anywhere since thieves can easily mask their location by using fake Internet Protocol (IP) addresses.
Another emerging threat comes from “hacktivists.” These groups breach systems for some social or political aim, though the damage they do can still be as costly as a purely criminal attack.
In September, an arrest was made in the infamous Sony gaming-systems breach case in which the underground group, LulzSec, broke into Sony’s system and gained access to 77 million accounts. LulzSec said in a statement at the time of the breach that customers should not put faith in a company that doesn’t take security seriously.
As of last May, the breach had cost Sony $171 million, though some observers estimate that the final bill could total more than $1 billion.
Breaches of all types are on the rise. The number of breaches investigated in 2010 by the Verizon Risk Team rose dramatically to 761, compared to 150 breaches the previous year. On a somewhat brighter note, the number of compromised records counted in Verizon’s latest data-breach report fell to 4 million in 2010, compared to 144 million in 2009.
“More breaches are taking place in small and medium-size organizations,” says Wade Baker, director of risk intelligence at Verizon Business, a unit of New York City-based Verizon Communications Inc. He adds that large companies often have better defenses against attacks than small organizations. Cyber crime isn’t a priority for smaller businesses focused on making payroll and finding new customers.
Malware accounted for almost half of all breaches investigated by Verizon in 2010. More important, malware was responsible for nearly 80% of the lost data.
‘Automation Is Key’
By definition, malware is any software or code developed for the purpose of taking information from a computer database, network, or other electronic system without the owner’s consent. By contrast, hacking typically involves an individual breaking into a system to steal data, though hackers sometimes install malware on systems.
Common malware includes viruses, worms, Trojans, and so-called “back doors,” which circumvent firewalls. Trojans disguise themselves as applications and are the source of most corporate-account takeovers. A man-in-the-middle browser can bypass most forms of strong authentication and covertly modify pages or transaction content, or insert transactions, according to Aite.
The ZeuS program, which cyber-criminals have used to compromise online-banking sites, is probably the most famous Trojan, though some cyber-criminals now use newer variants.
Other types of malware include man-in-the middle applications that can capture data in digital communications between a user and Web site; viruses; worms that replicate themselves and damage host systems, and rootkits, which are programs intended to hide evidence of an attack. Botnets, meanwhile, are groups of malware-infected computers under control of cyber-criminals.
Of course, criminals often target point-of-sale terminals and systems since card data are valuable and easily sold on the black market. In Trustwave’s 2011 Global Security Report, about 85% of the investigations consisted of payment card breaches.
The biggest change in malware over the last several years is that it’s harder to detect, and it’s becoming fully automated. Malware can run silently on a payments system and grab data, feeding an unending flow of card information back to the criminals.
“Automation is key,” notes Percoco. “Criminals can put malware on a merchant system and never touch it again. The system will stream data that can be sold immediately.”
Percoco has worked on cases where payment data stolen from a merchant were used fraudulently within hours.
Today, malware is customized too. About two-thirds of the malware cases in Verizon Business’s 2011 Data Breach Investigations Report involved some type of specialized code that can’t be recognized by traditional defenses. In last year’s data-breach study, 46% of the cases involving malware that Verizon reviewed did not have customized software. That number slipped to 30% in the latest study.
Picky Perps
While the creation of malware has traditionally required expertise in code design, the job has become a lot easier recently. Automated tools are now available to the criminals. A graphical user interface or GUI, called a “gooey,” allows the criminal to pick and choose the type of attack from a series of drop-down menu items.
“Anyone can order malware. This opens the door to a large pool of criminals,” says Baker.
Another important factor is that card data are often gathered during transmission prior to encryption. Some 66% of the cases in the Trustwave study involved data stolen during transmission.
So-called RAM scrapers are a type of malware designed to capture card data while they are being processed in the system’s memory, a big problem for internal networks where security measures aren’t tough enough. To thwart such attacks, some companies place card data randomly in the network’s memory, making it harder for the malware to locate valuable information.
But crooks are finding inventive ways to enter systems. They sometimes target an employee’s PC to gain access to an internal network via e-mails or social media.
“The bad guys are definitely shifting their attacks to the end users,” says Peter Kashou, director of network and security engineering at Litle & Co., a merchant processor based in Lowell, Mass.
An emerging technology that could stop such attacks is the virtual PC that only interfaces with a secure system. “We have to create systems that are protected from malware,” says Kashou.
Criminals are getting picky too. Card data stolen from online transactions aren’t worth nearly as much as the kind of data malware can poach from a real-world purchase. That’s because online transactions may not include enough information about the user to complete fraudulent purchases later.
So criminals seek the track data encoded on the card’s magnetic stripe. These data include the customer name, 16-digit primary account number (PAN), expiration date, CVV number (the three- or four-digit security code on the back), and in the case of a debit card, the PIN.
“Criminals want track data because it’s worth more,” says Percoco at Trustwave.
Criminals manufacture counterfeit cards that carry the stolen track data, which they use themselves or sell to others to make fraudulent purchases. Fake cards sell for about $100 to $150 apiece, compared to only a few dollars for the incomplete data culled from an online transaction.
“Most of our investigations are in the card-present environment,” notes Percoco.
Fast Adapters
Staying one step ahead of malware-savvy crooks is an ongoing day-to-day process. Merchants and processors alike must continually update their security systems and approaches.
“There’s no magic-bullet solution,” notes Avivah Litan, vice president and distinguished analyst at consulting firm Gartner Inc., Stamford, Conn. Litan advocates a layered approach that includes protecting consumers as well as looking at patterns of activity across the entire payments system.
An example of how quickly attackers can adapt comes from SecurityMetrics Inc., an Orem, Utah-based firm that conducts security audits for businesses. In one case, SecurityMetrics worked with a merchant that suffered multiple attacks.
The merchant installed an updated anti-malware application on its system. The program did its job and found the infected files, which were then removed.
The merchant thought everything was fine. But five days later the attackers returned and installed a new version of the malware that couldn’t be detected by the anti-virus program.
“Thieves can change the malware more quickly than the anti-malware companies can push new versions out to their clients,” says Eric Luke, senior forensic analyst at SecurityMetrics.
More Diligence Needed
So how are merchants and processors doing in their battle with the bad guys?
Experts say compliance with the Payment Card Industry data-security standard (PCI) enforced by the card networks still offers the best defense against malware and hacking attacks of all types, despite ongoing complaints from merchants that PCI compliance is complex and costly.
Merchants and processors struggle to comply with the standard more than six years after its introduction. In its latest PCI-compliance report, issued in late September, Verizon found that only 21% of the organizations examined were fully compliant at the start of an audit, even though many had been compliant the previous year.
Verizon found, not surprisingly, that breached organizations were less likely to be compliant with the PCI standards than non-breached organizations. The report is based on findings from more than 100 PCI assessments and data-breach investigations conducted by Verizon.
And Verizon found that only 64% of the companies regularly update their anti-virus software—something that should be a simple and routine safety measure.
“That’s a pretty low number considering that anti-virus software is readily available,” says Baker. “We should be doing better than that.”
While PCI compliance clearly has a lot of room for improvement, security executives admit adherence to the PCI standard is not foolproof and that even more diligence by merchants and processors is needed.
“We can no longer assume we can prevent malware infections in our networks and systems,” says Baker. “The game is: how quickly can we detect an infection before it steals payment card data?”
