People are an Organization's Biggest Vulnerability

According to DataBreaches.net, Marriott has been the victim of yet another data breach. Hackers claim to have stolen 20 gigabytes of sensitive data, including credit card data, from the BWI Airport Marriott in Baltimore, MD.

Melissa Froehlich Flood, a spokesperson for the Marriott, told The Verge that the company was “aware of a threat actor who used social engineering to trick one associate at a single Marriott hotel into providing access to the associate’s computer.” Before going public with the hack, the threat actor had tried to extort the hotel chain, but no money was paid, Froehlich Flood said.

This is not the first time Marriott’s cybersecurity has been breached. DataBreaches.net has been tracking security breaches at Marriott or Marriott-owned hotels since 2010.

September 2010 – HEI Hotels & Resorts had a “vulnerability in an information system at certain of its hotel properties exploited”.

April 2011 – The Marriott Reward Program was breached due to a breach of their vendor Epsilon.

November 2018 – Marriott learned that a hotel they acquired in 2016 had been breached in 2014. This breach was estimated to have impacted 383 million guests.

October 2019 - While still dealing with litigation from the 2018 breach, another of Marriott’s vendors was breached.

March 2020 – Marriot announced a breach that took place in January and February 2020 which exposed 5.2 million guests’ personal information. This breach was caused by compromised login credentials for two of their employees.

Though the most recent breach is not the worst they have faced, it does demonstrate that thieves will repeatedly attack the same target.

Jack Chapman, VP of threat intelligence at cloud security provider Egress said, “As this latest data breach demonstrates, organizations that are victims of previous attacks are more likely to be targeted in the future. Social engineering is a highly effective tool and cybercriminals know that an organization’s people are its biggest vulnerability – which is why they return to this technique again and again.”

This is why it is important to make sure passwords are frequently reset, compromised credentials are changed, and employees are trained in email phishing techniques. Incidents like this also help to explain why the PCI Security Council has put strong emphasis on multi-factor authentication, (MFA). PCI DSS v4 requires all users with access to cardholder data to use MFA, not just administrators.

 

Passwords: A Focus of v4

Assessing and strengthening password and authentication policies is one significant change in PCI DSS v4.  Not only are requirements more stringent, they also address securing remote access, a path used by many hackers to infiltrate systems in the past.

Once v4 becomes the Standard, merchants must:

  1. Require multifactor authentication for all users accessing cardholder data.  In versions past, multifactor authentication was required only for administrators who access systems related to processing or cardholder data. The newer version will require multifactor authentication for any account that has access to cardholder data.
  2. Change user’s passwords at least every 12 months, and any time that a compromise is suspected.
  3. Require that passwords be at least 15 characters in length and include both numeric and alphanumeric characters.  Prospective passwords will also need to be compared against a list of passwords that are known to be compromised.
  4. Review access privileges every six months to confirm that only people who specifically need access to cardholder data have permission.
  5. Enable vendor or third-party accounts only as needed and monitor them regularly while in use.

Merchants will not be required to comply with these changes until March 31, 2024, when v4 becomes the only Standard, but there’s no reason not to put these in place now. Each one of these requirements increases security to help prevent a compromise.

The MAXpci Team wishes everyone a Happy & Safe 4th of July!

 

Ransomware is Increasingly Popular Among Cybercriminals

The 2022 Verizon Data Breach Investigation Report shows that for the fifth consecutive year ransomware continues its upward trend with nearly 25% of all data breaches involving ransomware.  This trend indicates that despite warnings to businesses, ransomware continues to be a major cause of data breaches. The report shows the use of ransomware increased nearly 13%, a figure higher than the last 5 years combined.  What makes ransomware so attractive to cybercriminals is the fact that they don’t have to find specific data; they are able to cripple the organization’s daily operations by simply encrypting all of their data.  Alex Pinto, team manager at Verizon DBIR made the following statement regarding ransomware.

"You're just selling back to the people who you stole from in the first place," he said. "They are the perfect customer for you, and this is what makes it so appealing as a vector of growth in the way that financially motivated breaches play out in the threat landscape." "Especially those in these specific small companies, which are less than 10 employees, they have been severely hit by ransomware,"

The report also shows that nearly 80% of attacks against very small businesses (ten employees or less) are ransomware attacks. These small businesses are easier targets because they don’t tend to have large amounts of money to invest in their cybersecurity.

Desktop sharing software is used to access data in 40% of the attacks, while 35% involved malicious links or attachments in emails.  It is vital that businesses of all sizes take steps to secure their data.  Those steps can be as simple as utilizing antivirus programs to remove bots, and ensuring that security patches are installed immediately.  The use of two-factor authentication and password managers provide significant help in safeguarding credentials.  Email training for employees is also vital to prevent breaches.  This training helps to teach employees to be suspicious of attachments or links and spot the growing number of phishing attempts. By combining these tools, even the smallest businesses reduce their exposure to ransomware.

The MAXpci teams wishes you a warm and safe Memorial Day.

Let us remember all of our heroes who have left us

while saving our lives and our country.

 

PCI v4.0 - Security as a Continuous Process

With the release of PCI DSS v4.0, the Security Council has responded to ever-changing technology by providing increased flexibility to merchants to help them secure cardholder data on an ongoing basis.

Emma Sutcliffe, the SVP, Standards Officer of the PCI SSC, says that:

            “PCI DSS v4.0 is more responsive to the dynamic nature of payments and the threat environment. Version 4.0 continues to reinforce core security principles while providing more flexibility to better enable diverse technology implementations. These updates are supported by additional guidance to help organizations secure account data now and into the future.”

Four main objectives the new version meets are:

•           Updated firewall terminology to network security controls to support a broader range of technologies used to meet the security objectives traditionally met by firewalls

•           Expansion of Requirement 8 to implement multi-factor authentication (MFA) for all access into the cardholder data environment

•           Increased flexibility for organizations to demonstrate how they are using different methods to achieve security objectives

•           Addition of targeted risk analyses to allow entities the flexibility to define how frequently they perform certain activities, as best suited for their business needs and risk exposure

Chetan Anand, the Associate Vice President of Information Security and CISO at Profinch Solutions, explains that continuous compliance starts with setting a solid foundation.

"First and foremost, one must develop and maintain a sustainable security program. This requires understanding that the purpose of the PCI DSS is to protect cardholder data from damages resulting from the theft or improper disclosure of cardholder data," he says. "This includes everyone in the payment chain: merchants, service providers, acquirers, issuers, the payment brands, and consumers."

Most current security methods secure the card data in its “container” - servers, networks, applications, etc., but this doesn’t allow for security once the data is in motion. According to the PCI Counsel “the main goal of 4.0 is to promote security as a continuous process.”

PCI v4.0 is Here!

The big day is finally here – the Security Council is releasing the long-awaited PCI DSS v4.0 Standards.  The documentation will be rolled out over the next few months, beginning with the Summary of Changes document now, along with the Report on Compliance Template and Attestations of Compliance.  The SAQs will follow in the coming weeks. 

Once the SAQs are released, they’ll be translated into several languages. The translated versions will be released between now and June 2022.

New Standards mean new training for QSAs and ISAs.  Training is scheduled for June of 2022. We expect additional supporting documents to be published by the end of June.
 

The transition period from PCI DSS v3.2.1 to v4.0 is significantly longer than we’ve seen in the past.  While v4.0 is being released now, both versions will be available for a full two years, allowing merchants time to become familiar with the new Standards, and make any required adjustments. PCI v4.0 will be the only active version on March 31, 2024.

Ransomware Attacks on the Rise

The threat of ransomware attacks has become so significant that the National Cybersecurity Alliance and the PCI Security Standards Council issued a joint warning bulletin earlier this month. In 2021, ransomware was responsible for attacks at 37% of businesses globally, with an estimated cost of $20 billion.

In a blog post on the subject, Lance Johnson, executive director of the PCI Security Standards Council, said:

“These cyber threats are real and require immediate action to better protect against these ongoing criminal activities.”

There is nothing new about ransomware, it’s been around for years. What is new is the increased number of attacks. In 2021, ransomware attacks represented 21% of reported data breaches, up from 17% in 2020. Thieves normally use phishing attacks to gain access to consumer data, such as usernames, passwords, and account numbers, but they are also becoming more sophisticated, allowing them to gain access to companies’ networks for bigger attacks. Once the malware is in the network, it can take advantage of any website or software vulnerabilities.

Prevention is by far the best defense against ransomware. Best practices to prevent a ransomware attack include:

• Identifying and securing important and valuable data

• Making sure all software applications are up to date by installing patches from vendors as they become available

• Monitoring the network for suspicious or unauthorized changes and investigating any such changes

• Regularly backing up data and testing the data recovery

• Educating employees about how to spot potential threats and how to avoid them

“The surge in ransomware activity has left many businesses and governments around the world scrambling for answers as they struggle to stay a step ahead of organized cybercriminal gangs,” Johnson says. “Utilizing good payment security practices and protocols can go a long way in guarding against these attacks.”

Early Detection is Critical to Minimizing a Breach

PulseTV, the “As Seen on TV” retailer announced that they have been the victim of a breach. The breach started in November of 2019 and continued undetected until August of 2021. The breach was not discovered until November of 2021, by which time over 200,000 credit card records may have been exposed.

In a notification letter sent by PulseTV to its customers, they stated that Visa contacted them on March 8, 2021, and said that they were a common point of purchase for fraudulent credit card use, and that their e-commerce website may have been breached. PulseTV checked their network for malware and reviewed their security settings. They found no evidence to indicate that their site had been breached.

A few months after Visa contacted them, they were contacted by a law enforcement agency that was investigating fraudulent transactions that appeared to have come from pulsetv.com. According to the notification sent to customers, at that point PulseTV “started working with legal counsel with an expertise in cybersecurity. Legal counsel also hired nationally-recognized cybersecurity experts to assist with the investigation.”

The letter goes on to state “On November 18, 2021, our investigator learned that the website had been identified as a common point of purchase for a number of unauthorized credit card transactions for MasterCard. Based upon communications with the card brands, it is believed that only customers who purchased products on the website with a credit card between November 1, 2019 and August 31, 2021 may have been affected. The investigation was unable to verify that the website was the cause of the unauthorized transactions. However, in an abundance of caution, PulseTV is notifying customers, including you, who purchased products on our website during that time period so that they can take steps to protect and secure their credit card information.”

The Daily Swig reports that “The symptoms of the incident match those of earlier Magecart-style attacks that involve planting JavaScript skimmers within the checkout process of online stores.”

A Magecart attack is a cyberattack that injects malicious code into ecommerce checkout pages. This allows the hacker to “skim” sensitive and payment card data. Detecting this type of attack early is essential to preventing or minimizing the loss of card data. The use of file-integrity monitoring or change-detection software and regular internal and external network scans are crucial to early detection, as is requiring strong authentication for all access to system components, and things as simple as anti-virus protection and regularly applying security patches. This breach went undetected for nearly two years, despite notifications from Visa, law enforcement, and Mastercard, which led to a significant number of records being compromised.

Mid-Sized Businesses at Greatest Risk of Attack

As we know, the pandemic created new security issues for merchants. Unfortunately, many have yet to fully address these issues, and they remain vulnerable to attack. Hackers know it, and have been taking full advantage of this, particularly in the case of mid-sized companies.

Security provider Coro recently published a report, "The Great Cyber Security Market Failure and the Tragic Implications for Mid-Sized Companies," that analyzed information from over 4,000 mid-sized companies, (defined in the study as companies with between 100 and 1,500 employees).  According to the report, the mid-sized businesses examined saw the number of attacks increase by at least 50% between 2020 and 2021. Businesses in the healthcare and transportation industries were hit hardest, with an increase of more than 125% during the twelve months from October 2020 to October 2021. The number of attacks at retail, manufacturing and professional services companies increased between 86% and 90% during the same timeframe.

The report goes on to say that mid-sized companies are 490% more likely to be the victim of a breach or other security incident today than they were in 2019. At the start of the pandemic, businesses shifted to remote work environments, which significantly increased the number of devices connecting to their networks remotely. They also increased their use of the cloud. Cybercriminals have responded with ransomware attacks via the cloud and email, endpoint malware, Wi-Fi phishing and insider threats to exploit any vulnerabilities, all of which many of these mid-sized businesses are woefully unprepared to ward off nearly two years later.

To help midsize businesses better protect themselves from data breaches and cyberattcks, Coro CEO Guy Moskowitz provides the following advice:

  1. Make sure you secure your email and cloud applications against malware, ransomware and account takeover. Such protection is not typically covered by email or cloud service providers.
  2. Antivirus products offer only a small chunk of the protection you need. Look beyond standard antivirus solutions toward full-fledged ransomware protection and device security tools.
  3. Install phishing prevention and protection for your email, Wi-Fi connectivity, and cloud applications.
  4. If you store private information for customers or employees, be sure to set up insider threat detection and data loss prevention across your endpoints, cloud applications, cloud storage and email.

As 2021 comes to a close, we wish you

a Happy New Year filled with

 good health, happiness, and success!

 

Not all Holiday Traditions are Good

Over the last year and a half, many companies have shifted their cybersecurity attention to securing remote workers and Ecommerce sales. A recent breach notification from Costco is a reminder that breaches at brick-and-mortar locations are still a threat. On November 5th, 2021, Costco notified members that their payment card information may have been compromised because a skimming device was discovered on a payment terminal. Costco warned customers that the skimmer may have “acquired the magnetic stripe of your payment card, including your name, card number, card expiration date, and CVV.” A Security Awareness Advocate from KnowBe4, Erich Kron, believes that PIN numbers may have also been accessed during the breach.

“Because Costco does not accept all major credit cards, many members have to process the payment as a debit card, allowing the cybercriminals that attached the skimmer to not only get the card number but also the PIN number,” Kron said.

Costco hasn’t announced the number of customer’s affected, nor have they revealed the location of the breach, but Chris Clements, Vice President of Solutions Architecture at Cerberus Sentinel believes a significant number of customers may have been affected if the skimmer was placed on a terminal in a high traffic area.

“If undetected for even a month, it can compromise thousands of credit cards,” Clements said. “Costco didn’t say how routine the point-of-sale terminal checks that detected the skimmer occur, but with the scale of damage that can result from even one skimmer, retail organizations need to make it a frequent procedure.”

Armen Najarian, Chief Identity Officer at Outseer, believes that retailers will see an increase of these types of breaches this holiday season.

“As we head into the holiday season, hackers and other bad actors will target retailers made vulnerable by short staffing and high transaction volumes.”

“All of this, unfortunately, will be amplified this year as pandemic-induced labor shortages reach unprecedented levels. If retailers want to keep their customers safe and happy this holiday season, they need to prioritize payment authentication software for in-store and online transactions alike.”

This case is a good reminder that despite changes to the payments space over the last year and a half, thieves continue to use “old school” methods to access payment card information.

 

As we head into December, the team at MAXpci sends you and yours our best wishes for a safe, healthy, and happy holiday!

Work-from-Home Security Awareness Training

Security is an ongoing concern for businesses forced to send their employees home to work from hastily set up home offices. Once expected to be a short-term solution, work from home solutions have become permanent for many companies. In recognition of National Cyber Security Awareness Month (NCSAM), the PCI Security Standards Council is sharing resources each week on their PCI Perspective blog to help businesses address those concerns. The four weekly themes are:

Week 1: Be Cyber Smart: Best practices to protect data.

This week elaborates on the tips listed below to help small merchants protect credit card data.

                TIP #1: Reduce where payment card data can be found.

                TIP #2: Use strong passwords.

                TIP #3: Keep software patched and up to date.

                T IP #4: Use strong encryption.

TIP #5: Use secure remote access.

TIP #6: Properly configure firewalls.

TIP #7: Think before you click.

TIP #8: Choose trusted partners.

Week 2: Fight the Phish: Resources to help identify phishing attacks.     

This week’s training covers ways to protect merchants from phishing attacks. Phishing attacks account for more than 80% of security breaches, according to a Data Breach Report Incident done by Verizon.

Week 3: Cybersecurity Career Awareness Week: Consider a cyber career.

This week covers the increasing need for security analysts. According to the U.S. Bureau of Labor Statistics, this need will increase by 33% by the year 2030. It also addresses the shortage of women in this field. Currently, only 20% of the cybersecurity workforce globally are female.

Week 4: Cybersecurity First: Guidance to make cybersecurity an organizational priority.

This week provides information about a 45-minute Work from Home Security Awareness training program that covers basic security training to educate organizations and remote workers on the basics for securely working from home. This program was created so that no previous knowledge of cybersecurity is needed to understand it.

Merchants can take advantage of any or all these resources by going to:

https://blog.pcisecuritystandards.org/cybersecurity-month-working-from-home-security-awareness-training

Cloud Computing - Scoping Matters

Cloud services are a great tool for companies of all sizes because they provide access to the latest computer technologies without putting a financial strain on the business to make costly computer investments.  While these companies offer low-cost options for businesses, many of them do not realize that they still have responsibilities regarding payment card information. 

According to Jim Reavis, CEO of the Cloud Security Alliance, “Limiting exposure to payment data reduces the chance of being a target for criminals.  Proper scoping of cloud environments is critical to achieving this goal.”

A misconception many businesses have is that by using a cloud service provider they have no responsibility for data security.  This couldn’t be further from the truth.  Payment card data security is typically a shared responsibility.  Cloud scoping requires that all people, processes, and technologies used that interact with payment card data be identified. 

Jim goes on to say “Cloud computing can be very secure when best practices are employed and all stakeholders understand their shared responsibility, which is learned through proper scoping. While companies of all sizes use the cloud, the knowledge gap is most evident with smaller businesses, which put them at risk of suffering a security incident. We are all in this together.”

To comply with PCI requirements for using a service provider, responsibility for data security must be clearly defined so that both the merchant and the service provider are aware of their responsibilities and requirements.  The merchant must also monitor the service provider’s PCI compliance validation status on an ongoing basis to ensure that they are PCI compliant.

Work From Home Security Awareness Training

Well over a year into the COVID-19 pandemic, many businesses continue to operate from home offices.  The PCI Security Standards Council, (the Council), estimates that 25-30% of the workforce will still be working from home several days a week at the end of 2021.  In the rush to set up remote work environments last year, many businesses overlooked cybersecurity best practices, leaving them vulnerable to attackers.  With more and more businesses opting to continue working from home, it’s important that any gaps in security are closed. The Council has developed a 45-minute training course designed to help businesses work from home securely.

According to Travis Powell, the Council’s Director of Training Programs, “This training has been designed for all employees, regardless of technical experience. The 45-minute training has been setup as an engaging, self-guided, computer-based training, with content related knowledge checks throughout the training. We designed the training in such a way that no previous knowledge of the PCI Data Security Standard (PCI DSS) is required. In fact, no in-depth knowledge of cyber security is required. We wanted to ensure this training provides basic security awareness and practices to the broader community.to learn more about this new training and the importance of prioritizing security in the remote workforce.

To read more from Travis, go to https://blog.pcisecuritystandards.org/new-training-work-from-home-security-awareness.

In order to make this training available to all merchants who need it, the Council is offering it at a very low price:

  • $35 USD/per person for 1-99 employees
  • $25 USD/per person for 100+ employees
  • Customizable options for organizations seeking to train 500+ employees

For more information, and to register for the training, merchants can go to https://www.pcisecuritystandards.org/program_training_and_qualification/work_from_home_security_awareness

New Retailer Added to the Long List of Breaches

Fashion clothing line retailer Guess has joined the list of companies that have suffered breaches in 2021.  The company announced mid-July that they discovered unauthorized access to some of their systems from February 2, 2021 to February 23, 2021.  Quick detection limited the loss of personal information to just 1,300 people, but the compromised information included account numbers, debit and credit card numbers, social security numbers, access codes, and personal identification numbers.

According to Dirk Schrader, Global Vice President, Security Research at New Net Technologies (NNT), now part of Netwrix, a provider of change management software, "There is a fairly large amount of unanswered questions in this breach notification and the event itself. Why sensitive personal information like SSNs or account details was stored in clear text is one of them. That some data sets were apparently incomplete indicates a lack in managing clean and lean data of its customers. Being stock listed, it will be interesting to read through filings for additional details and whether SEC will ask for more details. Measures to avoid such an incident, companies should make sure to have the essential controls in place."

BleepingComputer believes that the ransomware gang, DarkSide, is most likely the party behind the Guess attack.  DarkSide appears to have been shut down following their cyberattack on the Colonial Pipeline, at which time law enforcement seized portions of their infrastructure.

While this cyberattack may seem small when compared to other attacks, any breach will cause damage to a company.

Hitesh Sheth, President and CEO at Vectra, a San Jose, Calif.-based AI cybersecurity company, says, “Disclosure of the GUESS breach reminds us that not all ransomware attacks are big and ambitious. They come in all shapes and sizes and are as much a fact of life on the digital landscape as fender-benders on the freeway. We’re on the way to a more secure digital future, but in the meantime every business must realize what GUESS learned the hard way: all are potential targets. When all adopt a security-first IT philosophy emphasizing better attack detection, better quality of life will follow.”

PCI DSS v4.0 is Coming Your Way

After a lengthy delay caused by the pandemic, the PCI Security Standards Council is finally on track to release the long-awaited v4.0.  Much has changed in the payments industry since v3.0 was released in November of 2013, and while there have been updates made to that version, the Standards have lagged behind.

The PCI Counsel plans to release the draft of v4.0 for community feedback in early Q1 of 2022.  They want Qualified Security Assessors (QSAs), Approved Scanning Vendors (ASVs) and Participating Organizations to have time to preview the draft before it is released since it is going to be a significant revision.  The plan is to officially launch        v4.0 in March of 2022.  The timeline they have released includes a transition period of 18 months, which will give organizations time to become familiar with the new standards and to update their documents, such as SAQs, ROCs, and AOCs.  During this 18-month period versions 3.2.1 and 4.0 will both be active; v3.2.1 will be retired at the end of the transition period.  There will also be requirements that are “future-dated” in v4.0 to give companies time to implement the new requirements.  It appears the “future dated” requirements could be extended to Q1 of 2025.

An Inauspicious Start to 2021

2021 is showing signs of setting a record for the highest data breach volume. In January alone, more data records were compromised than in all of 2017. Imperva, a cyber security company, recently published a report that revealed a total of 878.17 million data records were compromised worldwide in January 2021.  There were 826.53 million records compromised in 2017, with an average number of 1.7 million records per breach.

Report author Ofir Shaty, Imperva security analyst technology lead, said:

“We can estimate that year-over-year we will see around three times more records stolen annually [in 2021],” “The constant increase in data breaches is a result of multiple factors,” he wrote. “We are living in a digitalization era in which more services are consumed on a daily basis with the majority of them online.” “More businesses are migrating to the cloud, which makes them more vulnerable if not done carefully.”

While most of the information stolen in breaches tends to be personally identifiable information, (PII), Imperva reports that 9.2% is payment card data.  Payment card data remains the main target for cyber criminals because of the high demand for it on the Dark Web. 

As we know, 2020 had a huge impact on businesses around the world.  Brick and mortar businesses suddenly went from face-to-face transactions to offering curbside pickup, delivery options, and online ordering.  With businesses desperate to survive, and little to no time to make the transition, many were left open to security breaches.

Based on current trends, Shaty predicts that 2021 will see approximately 1,500 breach incidents with a total of 40 billion compromised records and an average of 26 million compromised records per breach.

Another EMV Deadline Has Come & Gone

Visa first announced plans to migrate to EMV chip transactions ten years ago, in 2011.  Recognizing that it would take longer for fuel pumps to be capable of complying, the date was extended, first to 2017, then 2020, and finally, to April of 2021.  As another date has come and gone, it’s estimated that roughly half of all US fuel pumps have yet to be upgraded. 

The benefit to upgrading pumps is clear.  Counterfeit fraud rates declined 22%, and counterfeit fraud dollars declined by 32%, during the first ten months of 2020 according to Visa. At the end of February 2021, VisaNet reported that approximately 51% of transactions processed through fuel pumps in the US were EMV.

Low conversion rates, already blamed on the limited number of technicians available to go on-site, have been further impacted by Covid.  Debbie Guerra, the executive vice president at ACI Worldwide said,

“While EMV compliance is a major undertaking, and one that requires a significant capital investment, there is no doubt that the pandemic also played a big role in some fuel merchants’ inability to meet the April deadline. With overall diminished resources due to the pandemic and slow testing and certification, which is typically done in person, merchants have certainly been challenged,”

The ACI survey results indicate that it may be a while before the stations they surveyed will be EMV compliant.  Half of the 52% that are not fully compliant said they do not know when they’ll be able to become compliant. 

To help eligible business owners who’ve yet to upgrade their pumps to process EMV transactions combat fraud at the pump in the meantime, Visa Transaction Advisor has been automatically enabled for one year. Visa Transaction Advisor is invisible to the cardholder while providing a layer of fraud protection to the merchant. 

PCI Security Council Releases Updated Secure Software Lifestyle Standard

Responding to the increasing number of attacks targeting third-party payment applications, the PCI Security Standards Council published an update to the PCI Secure Software Lifecycle Standard last month. 

 

“This update to our Secure SLC Standard and Program is a key step in promoting greater implementation by expanding eligibility to vendors that produce software and software components that may share resources within a payment environment,” Emma Sutcliffe, senior vice president, Standards Officer for PCI Security Standards Council said in a prepared statement.

 

Evolving security threats require frequent, on demand, updates to software.  The PCI Secure SLC Standard v1.1 is designed to make it easier for developers to follow the Secure Software Lifecycle Standard by ensuring that proper assessment procedures are in place throughout the development lifecycle.  Historically, updates had to be certified as being in compliance before they could be released, significantly slowing implementation. With this change, developers are only required to demonstrate compliance annually, allowing them to issue updates much quicker.

 

“We knew we needed an updated standard that provided more flexibility in creating lifecycle security controls around payment data within applications and enables developers to come to market faster with applications and updates even as security threats evolve,” says Troy Leach, senior vice president and engagement officer for the PCI Security Standards Council. 

 

One of the more serious threats that the new Standard can address is digital skimming.  Digital skimming allows hackers to steal card data as the consumer enters it into a web form, or via a mobile app, making it more difficult to detect since the data is stolen before it reaches the merchant’s server.  “Attacks against payment data are becoming more sophisticated and harder to detect,” Leach says. “The updated standard puts an application through rigorous testing to assure users it is secure. Once that methodology is in place, over time it will become an easier and more robust way for developers to follow the standard.” 

 

With the implantation of the new Standard, the PCI Security Council will retire the Payment Application Data Security Standard, (PA-DSS) in October of 2022.

Here, Let Me Pop the Trunk

Thieves have had a field day exploiting the covid-related e-commerce boom and have now added a new trick - taking advantage of curbside-pick up.  With a huge number of merchants now using this to attract retail customers who are uncomfortable shopping face to face, this has become an easy target for thieves because of the lack of controls in place. 

According to Julie Conroy, the research director for Aite Group, “there is a whole class of merchants that have had to contend with e-commerce and card-not-present transactions that never had to prior to the pandemic, so it’s no surprise that this type of fraud is rising,” Conroy says. “We are constantly hearing from merchants [that] there has been a 25%-to-30% uptick in card-not-present transactions during the pandemic and that card-not-present fraud is rising at a commensurate rate.”

The Aite Group projects that there will be $7.9 billion in card-not-present loses in 2021, up from an estimated $7.2 billion in 2020.  Another e-commerce fraud being used is enumeration fraud. For this method of fraud, automated programs are used to try different combinations of payment data from e-commerce transactions to identify the account number, CVV2 code, and/or expiration date.

According to Visa Inc.’s Biannual Payment Ecosystem Report, “threat actors adapted to the Covid-19 pandemic by illicitly creating and subsequently using Covid-19-related merchant names to conduct enumeration attacks, as well as targeting donation related merchants.”

Point-of-sale malware attacks are also rising. With this method, thieves target e-commerce merchants to obtain compromised payment accounts by sending a merchant a phishing email that launches the malware into the merchant’s POS system when opened or when the merchant clicks on a link in the message.    

“These types of attacks are a throwback to the days before chip cards, when mag-stripe data was stolen for counterfeit cards,” says Conroy. “Today, counterfeit cards can only be used at merchants that don’t have terminals with chip readers or online merchants that don’t require a CVV2 number.  Another problem around POS malware is that criminals typically target small merchants for attack and then repackage the data into a large bundle for sale on the dark Web. When the data is sold in bulk, it becomes difficult to detect the actual point of compromise," Conroy says.

New Year, New Breach

New year, new breach are not words that are unfamiliar to us.  We’ve come to expect that a new breach will be announced at the beginning of each year, it’s just a question of who will be the “lucky” one to kick things off.  Bonobos, a men's clothing retailer, appears to hold that honor for 2021.

Bonobos started out selling online only, then expanded to include brick and mortar locations, ultimately opening 60 stores.  In 2017, Bonobos was bought by Walmart for $300 million, with the expectation that Bonobos’ clothing would be sold on Walmart’s Jet.com site. Earlier this month, Bonobos notified customers that they were the victim of a massive breach.  The exact time frame of the breach is not yet known, but some of the data stolen dates back as far as 2014, with some data from as recent as July of 2020.  The company learned of the breach after an attacker known as ShinyHunters dumped Bonobos’ database to a free hacker forum.  ShinyHunters is well known for hacking online services and selling databases that have been stolen.

The attacker released 70 gigabytes worth of data, including customer addresses, phone numbers, partial credit card numbers, order information, and password histories.  Thus far, they have found that 7 million customer phone numbers and addresses have been stolen, 1.8 million customers have had account information, including passwords, compromised, and 3.5 million partial credit card numbers have been stolen.

Bonobos said that the information was not accessed from their system.  It was accessed from the external cloud platform they use to back-up their files.  Once again, failing to ensure that vendors with whom sensitive data is shared has resulted in a breach that has compromised customer information.

Falling Compliance Rates Amid Increasing Breach Risk

As the pandemic rages on, payment card security continues to be a challenge.  Unfortunately, it’s a challenge many organizations are failing to meet.  This year’s Verizon Data Breach Investigations Report found that for the third year in a row compliance is on the decline, with a 27.5% drop since 2016. 

Payment card data continues to be one of the most lucrative targets, accounting for 9 out of 10 data breaches by cybercriminals.  In the retail industry, 99% of breaches were focused on stealing payment card data for criminal purposes. 

The report goes on to state that on average only 27.9% of global organizations maintained full compliance with the PCI DSS.

“Unfortunately we see many businesses lacking the resources and commitment from senior business leaders to support long-term data security and compliance initiatives. This is unacceptable,” said Sampath Sowmyanarayan, President, Global Enterprise, Verizon Business.

“The recent coronavirus pandemic has driven consumers away from the traditional use of cash to contactless methods of payment with payment cards as well as mobile devices. This has generated more electronic payment data and consumers trust businesses to safeguard their information.

“Payment security has to be seen as an on-going business priority by all companies that handle any payment data, they have a fundamental responsibility to their customers, suppliers and consumers.”

With companies transitioning to remote working environments almost overnight, the increased burden of ensuring that all those new work “locations” are operating in a secure environment, may mean further drops in compliance rates for 2020. 

As far as specific problem areas go, the biggest areas of non-compliance were as follows:

PCI Version 4.0 to Take a Flexible Approach to PCI Compliance

Covid-19 has forced many businesses to significantly change their business model.  One of those changes is that more employees who have access to payments data are working from home.  Shifting to home from the office/storefront, coupled with travel restrictions, has made it difficult, if not impossible, for onsite inspections to take place.  Recognizing that changes to the payment landscape equal changes to the merchant’s capability to comply, the PCI Security Standards Council has announced plans to make the next version of the security standard more reflective of changes in the workplace.

“With more employees working remotely, there needs to be a new approach to protecting payment data,” says Troy Leach, senior vice president for the PCI council. “The standard also needs to recognize there may be circumstances that prevent an assessor from conducting an onsite assessment, such as travel advisories or restrictions relating to coronavirus, and that result in the assessment being conducted remotely.”

None of this means that standards are being lowered – no matter where the work is being done, there are always steps that can be taken to maintain a secure environment.  Those steps include reviewing security policies with employees, and checking audit logs for any changes that may have created a vulnerability.   “Our aim is to rethink how remote assessments are performed without increasing the risk of the assessment” says Leach.

“Most PCI data-security standard requirements are a demonstration of a process,” says Leach. “As the work environment changes, [data-security] processes must change with it.” 

Leach went on to say that making adjustments to accommodate remote workers is not expected to be a temporary trend.  Many companies have already made plans to continue to work remotely even after the pandemic ends.   Making sure that employees who continue to work from home understand how to protect data long term will require continuing education, as well as independent testing to verify that the remote workplace is secure.

“This was something that was being discussed prior to the pandemic,” says Leach. “Covid-19 just accelerated the discussion, because remote work will continue to be the norm for the foreseeable future.”   

 “The disruption from the Covid-19 pandemic is changing the payment industry,” says Leach. “That’s why version 4.0 of the standard is going to be more flexible.”

Subscription Boxes: More than You Bargained For?

Over the past few years, various online subscription box companies have emerged and many have become extremely popular.  What’s not to love about paying a set monthly fee, and receiving a box of surprise items based on your likes?  FabFitFun suffering two Magecart attacks in a four-month period may take some of the enjoyment out of those boxes filled with surprises.

FabFitFun subscription service released a notification informing their customers that they suffered the initial attack between April 26, 2020 and May 14, 2020, then the second from May 22, 2020 until August 3, 2020.  During these time frames, there was an active skimmer running on their payment page which exposed emails and passwords for PayPal or Apple Pay, along with names, addresses, payment card account numbers, card expiration dates, and card verification codes.

            While it is not unusual for hackers to attempt a Magecart reinfection, it is unusual that they were successful.  That indicates that the company did not take the proper steps to secure their data when the first breach was discovered in mid-May, which left their cardholders vulnerable until August 3, 2020, angering many of their customers.  One customer not only got angry, she took action – Cheryl Gaston alleges in a proposed class action suit filed this month in the US District Court for the Central District of California that the retailer acted negligently and violated the Colorado Consumer Protection Act when it failed to safeguard customer data.

Allegations made in the filing include:

16. Defendant does not claim that it abides by the Payment Card Industry Data Security Standard (“PCI DSS”) compliance, which is a requirement for businesses that store, process, or transmit payment card data.

17. The PCI DSS defines measures for ensuring data protection and consistent security processes and procedures around online financial transactions. Businesses that fail to maintain PCI DSS compliance are subject to steep fines and penalties.

18. As formulated by the PCI Security Standards Council, the mandates of PCI DSS compliance include, in part: Developing and maintaining a security policy that covers all aspects of the business, installing firewalls to protect data, and encrypting cardholder data that is transmitted over public networks using antivirus software and updating it regularly.

Based on information released to date, it appears unlikely that the hackers would have been successful in stealing this data had FabFitFun been PCI compliant.

Are Hackers Lying in Wait?

The law of supply and demand is as true in cybercrime as it is in business.  With many brick and mortar businesses locked down or closed, counterfeit cards are not as “useful” as they were prior COVID-19.  Gemini Advisory, a cyber intelligence firm based in New York that closely tracks dark web stores that traffic in stolen card data, reports that the decrease in demand has resulted in significantly lower prices in the underground.  Stas Alforov, Gemini’s director of research and development, told KrebsOnSecurity “Gemini Advisory has seen over 50 percent decrease in demand for compromised card present data since the mandated COVID-19 quarantines in the United States as well as the majority of the world.”  Alforov said the average price for card-present data - card numbers stolen from hacked brick-and-mortar merchants with the help of malicious software installed on point-of-sale (POS) devices - has dropped significantly since the beginning of 2020.

With the increase of online sales this year, the demand for stolen “card-not-present” data has remained high.  Gemini found prices for this data have actually increased slightly since the beginning of the year.

What does the increasing shift to card not present fraud coupled with significantly fewer transactions being processed by smaller online retailers mean?  Andrew Barratt, an investigator with Coalfire, a cyber forensics firm, reports a new COVID-19 dynamic going on with e-commerce fraud that is making it harder for banks and card issuers to trace patterns in stolen card-not-present data back to hacked web merchants — particularly smaller e-commerce shops. “One of the concerns that has been expressed to me is that we’re getting [fewer] overlapping hotspots,” Barratt said. “For a lot of the smaller, more frequently compromised merchants there has been a large drop off in transactions. Whilst big e-commerce has generally done okay during the COVID-19 pandemic, a number of more modest sized or specialty online retailers have not had the same access to their supply chain and so have had to close or drastically reduce the lines they’re selling.”

 

A basic anti-fraud process known as “common point of purchase” or CPP analysis, involves comparing transactions run on fraudulent cards to determine the merchant location that was targeted.  With fewer transactions, this has become much more challenging, particularly at smaller retailers

“With a smaller transactional footprint means less Common Point of Purchase alerts and less data to work on to trigger a forensic investigation or fraud alert,” Barratt said. “It does also mean less fraud right now – which is a positive. But one of the big concerns that has been raised to us as investigators — literally asking if we have capacity for what’s coming — has been that merchants are getting compromised by ‘lie in wait’ type intruders.”

 

Barratt suspects that hackers are essentially biding their time, waiting for smaller online merchants to see an increase in volume, putting the hackers in a better position to mix the sale of cards stolen from many hacked merchants and further confound CPP analysis efforts.

“These intruders may have a beachhead in a number of small and/or middle market e-commerce entities and they’re just waiting for the transaction volumes to go back up again and they’ve suddenly got the capability to have skimmers capturing lots of card data in the event of a sudden uptick in consumer spending,” he said. “They’d also have a diverse portfolio of compromise so could possibly even evade common point of purchase detection for a while too. Couple all of that with major shopping cart platforms going out of support and furloughed IT and security staff, and there’s a potentially large COVID-19 breach bubble waiting to pop.”

COVID Creates New Opportunities for Thieves

COVID-19 may have diverted thieves’ attention away from brick and mortar theft, but it has not stopped them from attacking companies.  Since the beginning of the pandemic there has been an increase in email phishing attacks, but one group of bold thieves are taking phishing to a new level.  They are marketing a voice phishing service, also known as vishing, to steal VPN credentials from unsuspecting employees. These attacks typically start with a paid request from thieves to target specific companies, or employees.  A typical vishing group requires at least two people.  One person will have a one-on-one phone call with the unsuspecting target, while their co-conspirator uses the compromised credentials to log into the company’s actual VPN in real-time.  From there, they can take control of the company’s website and email accounts.

The attackers go to great lengths to make this scheme seem believable.  They start by creating phishing sites that mimic the company they are attacking.  These sites usually include the company’s name followed or preceded by terms such as VPN, ticket, or portal.  The sites often include working links to the company’s own internal online resources.  To increase the feel of “legitimacy”, attackers will often then create LinkedIn profiles, and connect with other employees within the targeted company to increase believability.  They’ve even managed circumvent some types of multi-factor authentication because their fake sites can be setup to request the one-time code.

Once the site is created, they move on to contacting the merchant on the phone.  The thieves typically target new hires because they are not as familiar with other employees.  They will pose as someone from the company’s IT department with the goal of convincing the employee to provide them with their VPN credentials, or to have the employee input the credentials into the bogus site they created.  Once the thieves are in, they quickly try to locate any digital information that can be used for quick financial gain.

What’s a merchant to do?  This is where security training is crucial.  Constantly reinforcing security policies with employees and educating them on the importance of securing all information, prevents thieves from exploiting employees and gaining access to financial data.

The Importance of Two Factor Authentication

Due to the global pandemic, many people have turned to using online grocery shopping services to keep themselves safe from being exposed to Covid-19 at their local grocery stores.  One of these services, Instacart, has seen its customer base grow significantly since March when the pandemic caused shutdowns across the United States and Canada.  While they’ve been scrambling to hire hundreds of thousands of people to keep up with the increased demand, it appears that thieves decided to help themselves to their data.

On July 22, 2020, BuzzFeedNews announced that Instacart may have suffered a breach.  The names, the last four digits of credit card numbers, and order histories of almost 300,000 Instacart customers were found in two stores on the Dark Web. An Instacart spokesperson released a statement to BuzzFeedNews denying a breach.

“We are not aware of any data breach at this time. We take data protection and privacy very seriously,"

Since news of the potential breach was announced, Instacart has stated that they believe the accounts were accessed thru credential stuffing.  Credential stuffing is a type of cyberattack that uses stolen login credentials from one site or service to attempt to access various other sites and services.

This loss of data could have been avoided, had Instacart had two-factor authentication in place.  Using two factor authentication adds an additional layer of security, which many thieves would not have been able to penetrate.  Even though Instacart states, “We take data protection and privacy very seriously", it has been reported that they do not support two-factor authentication, and when asked about their plans for implementing it, they have no comment.

Hackers Exploit Retailers During Early Days of Covid-19 Crisis

Just as the US is seeing new surges in Covid-19 cases, there are concerns that merchants may soon see a surge of data breaches.  When retailers were forced to close the doors of their brick and mortar locations, with little-to-no advance notice, back in March and early April, they were sent scrambling to adapt to a “new normal”.   Efforts were devoted to finding ways to process contactless payments, make contactless deliveries, and generally stay in business.  While they were busy trying to survive, hackers were quietly planting malware to allow them to skim payment card details.

 

One retailer to fall victim to this is Claire’s, a jewelry and accessories retailer.  Claire’s, along with Icing, their sister company, announced that they have been the victim of what is believed to be a Magecart attack. Magecart attacks are typically initiated by hackers who use malware to insert harmful code into a company’s website. Once they insert their own code within the website’s existing code, it can then be used to gather information entered during the checkout process without making any change to the transaction process.

 

In this case, the Magecart attack began skimming payment card information from Claire’s’ website around April 20, but it is believed to have been inserted as early as March 20, the day after Claire’s physical locations were closed due to Covid-19. The combination of an increase in online traffic and a reduced workforce available to oversee any possible threats, allowed hackers to skim payment card data for nearly two months before it was discovered by researchers at Sansec, a security firm.  While the investigation is still ongoing, Claire’s has determined that no in-store transactions were compromised.

 

“Any crisis is a green light to cybercriminals and scammers,” said Jim Van Dyke, CEO of Breach Clarity, a San Francisco fraud prevention and detection technology firm. “COVID-19 has created an enormous amount of uncertainty and chaos at a scale we’ve not seen before. People are scared, anxious and desperate for anything that might help them through this troubling time. That makes them incredibly vulnerable. And, if you consider their private information is floating around the dark web, just waiting to be purchased by an opportunistic scammer, it’s the perfect storm.”

PCI Security Standards Council Delays Version 4.0

In light of changes and delays brought on by the COVID-19 pandemic, the PCI Security Standards Council has announced that they are delaying the release of version 4.0.  This version was originally expected to be released late this year, with a one-year window for merchants to comply with the new standards.  In order to allow sufficient time for the Council to review comments generated by the Request for Comment issued previously, as well as another that they expect to issue in October of 2020, they have announced that PCI DSS version 4.0 will be published sometime in 2021, with a two year window to comply with the new standards.

As a reminder, the PCI Security Standards Council has released a resource guide, found at https://blog.pcisecuritystandards.org/8-tips-for-small-merchants-protecting-payment-data-during-covid-19 to help small merchants keep their customers’ payment data secure in this rapidly changing environment.

In addition to this resource for small merchants, the Council has established resources for all COVID-19 updates, which can be found by going to https://www.pcisecuritystandards.org/covid19.

Protect Yourself, Protect Your Network

Over the last few weeks, companies across the US have found themselves forced to set up remote access to systems to allow employees to work from home.  While some companies have maintained a remote work environment for years, many businesses have had to scramble to comply with government orders that have typically been issued with little to no advance warning.  Even companies who have previously maintained a remote workforce have been faced with the challenge of having as much as 100% of their workforce working from home.  Inevitably, with the lack of ramp up time, coupled with the general anxiety of coping with a pandemic, this translates into opportunities for hackers to access far more networks than ever before.  While this may not seem to be a huge risk for many companies, let’s not forget that the Target breach did not originate with them, it began by hackers accessing an HVAC company that happened to have remote access to Target’s stores. 

Businesses should be more vigilant than ever to protect against network intrusions, phishing campaigns, and bogus requests for financial data. Crooks are taking advantage of COVID-19 fears, rapidly changing work environments, and a distracted workforce to trick individuals into clicking on links, visiting websites and opening emails that contain malware. The threats come from a number of sources, including targeted attacks against the health and life sciences industry, and bad actors posing as CDC or WHO representatives. 

 

Fortunately, just as washing our hands reduces the risk of getting COVID-19, there are basic security steps that can be taken to also reduce the risk of cyberattacks:

 

  • Never open attachments in unsolicited emails.
  • Never click on links in unsolicited emails.
  • Never provide personal or financial information in response to online solicitations or unsolicited email.
  • Educate yourself on how to spot phishing attacks, including sophisticated messages and spoofed emails.
  • Use only trusted sources like verified government websites for COVID-19 information.
  • Never donate to charities without first verifying their authenticity.
  • Never download unauthorized or unsupported software on any device used to access company networks.
  • Be sure that software and settings on all devices used to access company networks are secure and regularly updated with all security patches.
  • Update home Wi-Fi routers to the latest firmware and use strong Wi-Fi passwords

 

Our country is facing an unprecedented time. The MAXpci team sends our very best wishes to every one of you, your family and friends.  Stay home and stay healthy.  Together, we will get through this.

 

With Automation Comes Increased Risk

Application program interfaces, also known as APIs, are becoming increasingly popular because they automate the process of sending information between different platforms.  Crooks agree.  They are also becoming increasingly interested in this process, because it provides them another means of gaining access to data.  So much so that Akamai Technologies reports that criminals launched more than 16.6 billion attacks against the points of access in API connections between December 2017 and November 2019. 

Criminals use a method known as credential stuffing to attempt access to APIs and other web-based applications.  Credential stuffing uses stolen username and password combinations from a previous breach to attempt to gain access to other accounts.  Yet another reason not to use the same credentials for multiple accounts.

With APIs catching the interest of so many criminals, how does a merchant protect themselves?  Steven Ragan, security researcher from Akamai has recommendations that fall in line with PCI standards.

“Payments companies can take several steps to protect their API connections. Limiting the rate of access and protecting the APIs directly is a start.  Enabling and enforcing strong multifactor authentication processes is another layer of defense,” Ragan says. “In addition, education about the use of password managers, multifactor authentication tools, and phishing is [another] step.”

Wawa Stolen Card Numbers for Sale on the Dark Web

Last month we reported that Wawa had suffered a breach that lasted over nine months.  Once the malware was found, it was quickly contained; however, the damage was already done. The breach exposed debit and credit card numbers, expiration dates, and cardholder names of customers that made purchases at any Wawa.  On Monday, January 27, 2020, a popular underground crime shop known as Joker’s Stash claimed to have 30 million records for sale, many of which can be traced back to purchases made at Wawa.  This batch of cards has been named “BIGBADABOOM-III” by Joker’s Stash.

Wawa released a statement to KrebsOnSecurity regarding the claim by Joker’s Stash.

“We have alerted our payment card processor, payment card brands, and card issuers to heighten fraud monitoring activities to help further protect any customer information. We continue to work closely with federal law enforcement in connection with their ongoing investigation to determine the scope of the disclosure of Wawa-specific customer payment card data. We continue to encourage our customers to remain vigilant in reviewing charges on their payment card statements and to promptly report any unauthorized use to the bank or financial institution that issued their payment card by calling the number on the back of the card,” the statement continues. “Under federal law and card company rules, customers who notify their payment card issuer in a timely manner of fraudulent charges will not be responsible for those charges. In the unlikely event any individual customer who has promptly notified their card issuer of fraudulent charges related to this incident is not reimbursed, Wawa will work with them to reimburse them for those charges.”

A New York-based fraud intelligence company, Gemini Advisory said the largest amount of card information for sale traced back to Wawa customers in Florida and Pennsylvania.  Gemini Advisory also said that only a small portion of the 30 million cards they claim to have, are currently for sale.  Joker’s Stash will not release too many cards at one time because it will drive down the selling price.  Currently, the price is $17 per card with some international cards selling for as much as $210 per card.

It’s estimated that this breach will cost Wawa millions of dollars in fines.  The total impact remains to be seen; there has already been one class action suit filed against the company.

 

The MAXpci team enjoys meeting and interacting with people from all over the country at industry events. Please drop by our booth if you are attending any of these events. We look forward to meeting with you.

Northeast Acquirers Association

Southeast Acquirers Association

Midwest Acquirers Association

Western States Acquirers Association

To schedule a meeting with us at any of these events, please contact us at sales@MAXpcicomply.com.