In today’s environment, the news of a company’s data breach isn’t as surprising as it used to be. The threat landscape is constantly changing, and businesses can sometimes have a hard time keeping up. Hackers leverage increasingly advancing attack strategies and are continually targeting different industries and technological systems.
Although many breaches have financial motives, cybercriminals have recently shifted their focus when it comes to monetary-based attacks. Instead of targeting the bank or financial institution, there have been rising instances involving retailers’ payment systems. As these attacks continue to impact big name vendors and their customers, one thing is clear: There is a need for better protection to ensure payment technologies are safer.
By examining the attack patterns and previous cases, businesses can learn how to deploy improved security measures to protect their technologies and their consumers’ payment information.
Case in point: Home Depot POS system hack
One of the most recent and high-profile payment system attacks involves home improvement retailer Home Depot. In late 2014, the company discovered that a breach of its system had taken place in April which lead to one of the most significant large-scale information leaks in recent history.
According to Wall Street Journal contributor Shelly Banjo, Home Depot Inc. announced that a total of 56 million customer credit accounts were compromised during the breach, as well as an estimated 53 million email addresses.
After an in-depth examination, investigators discovered that, similar to the Target breach, hackers had gained access to their system after stealing authentication credentials from a third-party vendor used by Home Depot. After breaking into the network, cybercriminals were able to pinpoint and launch targeted attacks on the POS systems of 7,500 self-checkout terminals. Overall, malware lived in the stores’ systems for five months without being discovered.
“In fact, the hack might have gone unnoticed for much longer if the hackers hadn’t put batches of stolen credit-card numbers up for sale while a number of Home Depot executives were away on vacation for the Labor Day holiday,” Banjo pointed out. “Home Depot tried unsuccessfully to purchase some of the fraudulent credit cards from the website, but the site crashed as law-enforcement agencies, banks and criminals all tried to get their hands on them.”
This story comes in addition to a number of other recent retail breaches involving company’s POS register technologies. While not the only organization to be attacked in this manner, Home Depot’s breach was considerably extensive and serves as a warning for others in the industry. After the breach, former Home Depot chief executive Frank Blake noted that the company could have done more to secure its systems.
“If we rewind the tape, our security systems could have been better,” Blake said. “Data security just wasn’t high enough in our mission statement.”
Learning from this lesson, businesses should ensure that information protection, especially as it relates to payment systems, is high on the list of priorities.
Near Field Communication comes under attack
POS systems aren’t the only targets for cybercriminals in the current threat environment. With the advent of new technologies, including Near Field Communication used to enable services like Apple Pay and Google Wallet, hackers are setting their sights on mobile payments as well.
According to BBC, security experts recently met to review vulnerabilities related to NFC systems and discovered just how hackers could exploit these to gain control of mobile devices. At the Mobile Pwn2Own event in Tokyo in late 2014, teams tested eight different device platforms. Three successful hacking attempts leveraged weaknesses related to NFC to steal data and otherwise compromise the devices.
“NFC allows people to pay for goods and services by touching their handset to a payment terminal. But the inclusion of the technology on phones has proved useful to hackers seeking a stealthy way to take over a mobile phone,” BBC stated. “In most cases the bugs would give an attacker complete access to a device’s data.”
The results of the event showed that stronger security measures are needed both on the retailers’ side, as well as on the mobile development side. BBC reported that teams shared attack details with device manufacturers to help them patch and repair the bugs the experts exploited.
Custom strategies needed for protection
Particularly in the case of POS-based attacks, companies are in need of tailored protection measures that specifically patch the vulnerabilities existing within the business’s technology. Trend Micro noted that there are multiple points that hackers could exploit within a POS, including POS devices themselves, network communications and servers.
Therefore, there currently is not a one-size-fits-all safeguard to prevent POS breaches.
“[C]ompanies, especially those that accept card payments should consider implementing a customized defense strategy – one that specifically fits their network and how they create, use and process card information,” Trend Micro noted.
Working with a trusted security partner, businesses can craft unique safeguards that will address their specific needs and better protect their customers.