• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Current News   »   Beyond the bank: Payment systems under attack

Beyond the bank: Payment systems under attack

  • Posted on:March 7, 2015
  • Posted in:Current News, Industry News
  • Posted by:
    Trend Micro
0

In today’s environment, the news of a company’s data breach isn’t as surprising as it used to be. The threat landscape is constantly changing, and businesses can sometimes have a hard time keeping up. Hackers leverage increasingly advancing attack strategies and are continually targeting different industries and technological systems.

Although many breaches have financial motives, cybercriminals have recently shifted their focus when it comes to monetary-based attacks. Instead of targeting the bank or financial institution, there have been rising instances involving retailers’ payment systems. As these attacks continue to impact big name vendors and their customers, one thing is clear: There is a need for better protection to ensure payment technologies are safer.

By examining the attack patterns and previous cases, businesses can learn how to deploy improved security measures to protect their technologies and their consumers’ payment information.

Case in point: Home Depot POS system hack
One of the most recent and high-profile payment system attacks involves home improvement retailer Home Depot. In late 2014, the company discovered that a breach of its system had taken place in April which lead to one of the most significant large-scale information leaks in recent history.

According to Wall Street Journal contributor Shelly Banjo, Home Depot Inc. announced that a total of 56 million customer credit accounts were compromised during the breach, as well as an estimated 53 million email addresses.

After an in-depth examination, investigators discovered that, similar to the Target breach, hackers had gained access to their system after stealing authentication credentials from a third-party vendor used by Home Depot. After breaking into the network, cybercriminals were able to pinpoint and launch targeted attacks on the POS systems of 7,500 self-checkout terminals. Overall, malware lived in the stores’ systems for five months without being discovered.

“In fact, the hack might have gone unnoticed for much longer if the hackers hadn’t put batches of stolen credit-card numbers up for sale while a number of Home Depot executives were away on vacation for the Labor Day holiday,” Banjo pointed out. “Home Depot tried unsuccessfully to purchase some of the fraudulent credit cards from the website, but the site crashed as law-enforcement agencies, banks and criminals all tried to get their hands on them.”

This story comes in addition to a number of other recent retail breaches involving company’s POS register technologies. While not the only organization to be attacked in this manner, Home Depot’s breach was considerably extensive and serves as a warning for others in the industry. After the breach, former Home Depot chief executive Frank Blake noted that the company could have done more to secure its systems.

“If we rewind the tape, our security systems could have been better,” Blake said. “Data security just wasn’t high enough in our mission statement.”

Learning from this lesson, businesses should ensure that information protection, especially as it relates to payment systems, is high on the list of priorities.

Near Field Communication comes under attack
POS systems aren’t the only targets for cybercriminals in the current threat environment. With the advent of new technologies, including Near Field Communication used to enable services like Apple Pay and Google Wallet, hackers are setting their sights on mobile payments as well.

According to BBC, security experts recently met to review vulnerabilities related to NFC systems and discovered just how hackers could exploit these to gain control of mobile devices. At the Mobile Pwn2Own event in Tokyo in late 2014, teams tested eight different device platforms. Three successful hacking attempts leveraged weaknesses related to NFC to steal data and otherwise compromise the devices.

“NFC allows people to pay for goods and services by touching their handset to a payment terminal. But the inclusion of the technology on phones has proved useful to hackers seeking a stealthy way to take over a mobile phone,” BBC stated. “In most cases the bugs would give an attacker complete access to a device’s data.”

The results of the event showed that stronger security measures are needed both on the retailers’ side, as well as on the mobile development side. BBC reported that teams shared attack details with device manufacturers to help them patch and repair the bugs the experts exploited.

Custom strategies needed for protection
Particularly in the case of POS-based attacks, companies are in need of tailored protection measures that specifically patch the vulnerabilities existing within the business’s technology. Trend Micro noted that there are multiple points that hackers could exploit within a POS, including POS devices themselves, network communications and servers.

Therefore, there currently is not a one-size-fits-all safeguard to prevent POS breaches.

“[C]ompanies, especially those that accept card payments should consider implementing a customized defense strategy – one that specifically fits their network and how they create, use and process card information,” Trend Micro noted.

Working with a trusted security partner, businesses can craft unique safeguards that will address their specific needs and better protect their customers.

Related posts:

  1. Hackers breach payment processing firm; 1.5 million card numbers possibly exposed
  2. Apple Pay and adding complexity to payments systems
  3. Risk and Reward of Alternative Payment Systems
  4. Target breach shows need to create more secure payment systems.

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Cloud-based Email Threats Capitalized on Chaos of COVID-19
  • Detected Cyber Threats Rose 20% to Exceed 62.6 Billion in 2020
  • Trend Micro Recognized on CRN Security 100 List
  • Trend Micro Reports Solid Results for Q4 and Fiscal Year 2020
  • Connected Cars Technology Vulnerable to Cyber Attacks
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.