Network systems attackers, as well as less-dangerous (though still nefarious) hackers, never rest in their ongoing quest to compromise franchise computer systems and capture a share of the billion-dollar bounty of stolen credit card data. When the final 2010 figures are tallied, the FBI expects that organized crime worldwide will net more illicit money from Internet fraud than from illegal narcotics trafficking.
Attackers' methodologies continue to evolve and grow more sophisticated. Franchises must do likewise to stay a step ahead and protect customers' personal information and their own hard-earned business reputations, indeed their very livelihoods.
Some quick definitions: "Attackers" break into franchise computer systems with specific criminal intent to steal and defraud, whereas "hackers" often do so for the challenge, the notoriety, or the thrill of the chase. Hackers can inflict costly system damage and inconvenience, as serious as system shutdowns, but this can pale in comparison to the damage from system attackers. An attacker's intrusion, if undetected, can inflict irreparable damage to franchise operations.
Their current "best practice" and number-one method to gain access to a franchise system (and ultimately to customer credit card data) is to compromise a vulnerable remote access application, such as one that allows owners and managers to log into a work computer from home or elsewhere.
Attackers increasingly target franchises that use remote access because, if they are successful, it allows them to completely bypass firewalls. The foremost vulnerability with remote access is not the tool itself, but rather how the remote access is configured. Merely requiring a user name and password allows an attacker to enter your network by breaking only a single level of security, and there are a plethora of available tools to help him. His job is made even easier when system administrators choose weak passwords (like "password"). Once he's gained network access, the attacker has the "keys to the kingdom," and is free to install a suite of malware designed to harvest customer credit card data and export it to his system.
Attackers' tools of the trade
Once inside a franchise network, attackers employ a variety of tools. Keyloggers, originally created for such legitimate purposes as helping employers and parents track workers' or children's correspondence and Internet usage, are a perfect attacker tool, used to capture all keystrokes and credit cards as they are swiped at a terminal. Antivirus software developers only recently began to flag keyloggers as potentially malicious, so the attackers' honeymoon with keyloggers may be nearing its end.
Not so with another of their favorites, memory scrapers (or memory dumpers). These pose grave danger not only because they typically go undetected by antivirus programs, but also because they can capture customer credit card data before it reaches the encrypting protection of a secure credit card payment application.
Attackers will stop at nothing to gain access to customer credit card information. As IT personnel become more adept at detecting traditional attack methods, attacker techniques morph. Recently attackers of POS systems have employed strategies typically reserved for web-based attacks (injecting malicious code into a system's kernel32.dll and user32.dll files, enabling it to seek out credit card data and funnel this information directly to attackers' systems). Not only are antivirus programs ineffective against this approach, locating and removing such malicious code requires above-average IT skills.
Apart from inconveniencing and potentially damaging customers' credit (not to mention business reputations and goodwill), the consequences of insufficient or lax system security also hit franchises squarely in the pocketbook.
How to avoid the high costs of lax security
For starters, Payment Card Industry (PCI) forensic investigations into suspected breaches average around $15,000 per franchise location. Credit card companies may hold merchants responsible beginning at $5,000 per location breached, and card issuers similarly seek reimbursement. In one instance, a small restaurant franchisee was charged $110,000 in reimbursement for fraud costs. Add to these the not-so-"soft" costs of damaged reputations from media reports stemming from consumer complaints, and the impact on franchises can be staggering, even fatal.
While there is no "silver bullet" that insulates a franchise from all attacks, adherence to the mandatory Payment Card Industry Data Security Standard (PCI DSS) is the best place to start. Strict compliance with this framework will help plug security holes that allow criminals to pocket your customers' card data. A good place to begin is by examining the security of your remote access. Remote access should always require "two-factor authentication." In addition a user name and password, two-factor authentication requires an additional step, such as physically calling a manager on-site to be granted remote system access. This is among the best "second factors." Another good second factor could require matching of Media Access Control (MAC) addresses between the remote and onsite systems.
Another simple, yet important security tip is to close Virtual Private Network (VPN) tunnels when they're not in use. Attackers can try to hack into the VPN only when it is open, so reduce their potential window by closing the VPN when not in use.
The use of wireless technology for payment applications presents another possible vulnerability that just isn't worth the risk. Even wireless encryption that is considered secure by today's standards may be compromised tomorrow.
These suggestions are far from a security panacea. Rather, they are simple starting points. Franchises do what they do best, whether operating restaurants, hotels, clothing, or sporting goods stores. They're usually not IT security experts, but IT security must be on their radar screen. Being PCI DSS-compliant and taking relatively simple steps can go a long way toward successfully fending off Internet attackers.
David Ellis, CISSP, QSA, PFI, is director of forensic investigations for SecurityMetrics, a leading provider of Payment Card Industry Data Security Standard security solutions. Contact him at 801-724-9600 or visit www.securitymetrics.com.