As you see in the news every month, credit card breaches are on the rise. Recent investigations into credit card merchant breaches indicate that many attacks have been aimed at insecure remote access. In this session, Matt will cover how a credit card breach happens, what you should do to protect your business and your customers, and how you can take action to secure remote access in your system.
SQL Database Design For Developers at php[tek] 2024
Securing Remote Access
1. The Threat is Real:
Protecting Remote Access
Notice of Confidentiality. This presentation is furnished to you solely in connection with your referral partner relationship with Mercury Payment Systems, LLC (“Mercury”). By accessing, use of, or
receipt of this presentation, you agree and acknowledge that the information contained herein (the “Information”) is confidential and proprietary information of Mercury. You agree to keep the
Information confidential and not to forward or otherwise disseminate or use the Information for any purpose other than in connection with your referral partner relationship with Mercury and subject to
the confidentiality and other terms of the referral partner agreement between you and Mercury. You accept the Information presented herein “as is,” without any representation as to its accuracy or
completeness.
2. The Threat is Real
Mercury Confidential and Proprietary - For Recipient's Internal Use Only
2
Improper use of remote access is contributing to the
growing number of POS attacks on small merchants
• Recent investigations by the card associations into retail merchant
breaches indicate that attacks are being aimed at insecure remote
access.
• Small merchant breaches are a growing concern.
• Weak passwords opened the door for the internal intrusion in 31% of
compromises.
• Brute force attacks on remote access are on the rise. According to
Kaspersky Lab, there have been 1,000+ unique attempts each day since
June 3, 2014. *
* “A multi-headed battering ram: RDP Bruteforce attacks on the rise.” http://business.kaspersky.com/a-multiheaded-battering-ram-rdp-bruteforce-attacks-on-the-rise/
3. How Does a Breach Happen?
Once remote access vulnerabilities are attacked,
malware is introduced and card numbers are stolen
• Hackers use publicly available tools to locate businesses that use remote
desktop applications.
• Brute force attacks may use the login feature of the remote desktop solution,
putting administrator accounts at risk.
• Most applications involving card swipes at the POS leave the cardholder data
unencrypted and readable in computer memory.
• Intruders often disable anti-virus applications and establish additional back
door connectivity through the installation of malware.
• Malware is installed to collect full track data from the POS system. A
common example of this malware is “Backoff.”
Mercury Confidential and Proprietary - For Recipient's Internal Use Only
4. A newly identified malware strain dubbed “Backoff”
targets POS merchants and has been linked to numerous
remote access attacks
Backoff is a family of POS malware and typically consists of four capabilities:
1. Scraping memory for track data
2. Logging keystrokes
3. Command and control (C2) communication
4. Injecting malicious stub into explorer.exe
Keylogging functionality is also present in most recent variants of Backoff.
Mercury Confidential and Proprietary - For Recipient's Internal Use Only
4
Backoff POS Malware
On July 31, 2014, an advisory was issued about “Backoff Point-of-Sale Malware” and can be found at the following website:
https://www.us-cert.gov/ncas/alerts/TA14-212A
5. Are You at Risk?
If you answer “yes” to any of these questions,
you are at risk
Mercury Confidential and Proprietary - For Recipient's Internal Use Only
5
1. Do you use remote access to receive maintenance or
service on your POS?
2. Can the POS be accessed for service 24/7 without you
taking action to allow remote access?
3. Can the POS be accessed without your authorization?
6. Managing Secure Remote Access
Follow these eight steps
to reduce your chances of a data breach
1. Limit the number of people who can access the system remotely.
Only allow and provide remote access to those who have a strong business
need, such as the POS system reseller for the remote service, co-owners,
management and administrators.
2. Use complex passwords and two factor authentications for all access in
the payment environment including POS accounts and remote access.
Properly store authentication/security tokens and change passwords every 90
days.
3. Do not share remote access credentials.
Ensure that each user with remote access has a unique username and
password. Do not use the same password for a group or chain of merchants.
Each merchant location needs a unique username and password.
Mercury Confidential and Proprietary - For Recipient's Internal Use Only
6
7. Managing Secure Remote Access
4. Disable remote access user accounts when no longer needed and
disconnect sessions after a specific period of time.
5. Install and keep anti-virus, anti-spyware and firewalls up-to-date.
Regularly run and review results of scans for malicious software.
6. Maintain up-to-date software, operating systems and web browsers at
all times. Use the latest version of a remote management product or service.
7. Avoid leaving remote access software on and "listening" for incoming
connections. Select a remote access package that requires a user at your
merchant site to start or log on to initiate a remote access session when possible.
8. Reboot POS systems daily to clear volatile memory, and consider using a
secure file wiping utility that can securely clear the contents of the page (swap) file.
Mercury Confidential and Proprietary - For Recipient's Internal Use Only