Securing Merchant Terminals and Ecommerce Systems
December 06, 2016 / Source: FS-ISAC
This advisory was prepared in collaboration with the Financial Services Information Sharing and Analysis Center (FS-ISAC), the Retail Cyber Intelligence Sharing Center (R-CISC), the United States Secret Service (USSS) and is directed to retailers or companies which are processing financial transactions and managing customer personally identifiable information. This advisory serves to provide information and recommendations for possible mitigations for common cyber-exploitation tactics, techniques and procedures (TTPs) consistently and successfully leveraged by attackers in the past year. Many of these TTPs have been observed by FS-ISAC and R-CISC, through their members and identified in Secret Service investigations. Some of the TTPs in this advisory have been reported in prior advisories. The repeat of the TTPs and risk mitigation suggestions is deliberate because attackers continue to be successful with these techniques.
The TTPs discussed in this report include:
- Trends on attacks against terminals using older technology;
- Unauthorized access via remote access;
- Attacks against online merchants that use open source shopping carts;
- Exploiting commercial application vulnerabilities;
- Email phishing; and
- Unsafe web browsing from computer systems used to collect, process, store or transmit customer information.
This document provides recommended security controls in observed areas to protect customer data and provides recommendations to smaller merchants who should work with their vendors to implement these recommendations (see Appendix A). This advisory is not intended to be a robust, all-inclusive list of procedures as attackers will modify TTPs depending upon the target’s network and vulnerabilities. This report does not contain detailed information about memory scraping Point of Sale (PoS) malware that has been used in recent high-profile data breaches. Secret Service investigations of many of the recent PoS data breaches have identified customized malware only being used once per target. A list of observed PoS malware families is provided in Appendix B.
These recommendations should be analyzed by cyber threat analysis and fraud investigation teams based on their operational requirements. The information contained in this advisory does not augment, replace or supersede requirements in the Payment Card Industry Data Security Standard (PCI DSS); however, the PCI DSS version 3.0 recommendations are cited when appropriate. (For the full PCI DSS v. 3.1 guide please see https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf)