Upload
charles-barker
View
213
Download
0
Embed Size (px)
Citation preview
© 2014 First Data Corporation. All Rights Reserved.© Copyright 2014 | First Data Corporation
Rick Van Luvender
Limiting Your Exposure
Cyber Security
Small businesses and securityTop four most common misconceptions
1. Trustwave SpiderLabs, Trustwave Global Security Report 2012
“I don’t need it”Even though 90% of all data breaches target small merchants, many business owners don’t put much thought into their day-to-day security.1
“I’m not liable” If a breach were to happen, you could very well be liable for the costs.
“Nothing has happened yet”
The likelihood of a data breach is greater than you may think, and the consequences can be catastrophic.
“I’m already protected” Your current payment processing may not fully protect your payment data from the moment a card is swiped.
Misconception Reality
2
Business impact of a data breach
Investigation of Breach
Loss of Confidential
Business Information
Fines/Liability
Remediation of Breach
Reputational Risk: damage to your brand
Plus
If your business is impacted by a data breach, your business could suffer significantly.
3
Copyright 2009 First Data Corporation. All Rights Reserved. 4
PCI DSS Levels
Merchant Level 1
Merchant Level 2
Merchant Level 3
Merchant Level 4
Any merchant processing over 6MM Visa or MC transactions per year (not combined transaction volume).
Any merchant processing 1MM to 6 MM Visa or MC transactions per year (not combined transaction volume).
Any merchant processing 20K to 1MM Visa or MC e-commerce transactions per year (not combined transaction volume).
Any merchant processing less than 20K Visa or MC e-commerce transactions per year and all other merchants processing up to 1MM Visa or MC transactions per year (not combined transaction volume).
Copyright 2009 First Data Corporation. All Rights Reserved. 5
Merchant Compliance ValidationLevel Validation Action Scope Validated By
1 Annual Onsite Security Audit – required
Quarterly Network Scan - required
Auth and Settlement Systems
Internet Facing Perimeter Systems
Qualified Security Assessor or Internal
Audit if signed by officer of the company
Approved Vendor
2 & 3 Annual Self Assessment Questionnaire –
required
Quarterly Network Scan - required
Any systems storing, processing or transmitting
cardholder data
Internet Facing Perimeter Systems
Merchant / Compliance
Approved Scan Vendor
4 Annual Self Assessment Questionnaire – recommended
Quarterly Network Scan - recommended
Any systems storing, processing or transmitting
cardholder data
Internet Facing Perimeter Systems
Merchant / Compliance
Approved Scan Vendor
Fraud Liability Shifts on October 1, 2015* • After the liability shift, if a merchant is still using the
“swipe and signature” methodology and the customer has a smartcard, the merchant is liable.1
EMV® and PCI: Notable changes in 2015
PCI - DSS 3.0 (9.9)• New Requirement: Monitoring your terminals
and POS equipment for substitution and tampering.2
1 EMVCo®
2 PCI Security Standards Council
6
© 2014 First Data Corporation. All Rights Reserved.
Verizon: 2015 data breach investigations report
Frequency of incident classificationpatterns with confirmed data breaches
The defender-detection deficit
© 2014 First Data Corporation. All Rights Reserved.
Verizon: 2015 data breach investigations report
Defender Detection Deficit
© 2014 First Data Corporation. All Rights Reserved.
Verizon: 2015 data breach investigations report
© 2014 First Data Corporation. All Rights Reserved.
The value of a compromised systemThe chart below is loosely based on a diagram by Brian Krebs (Krebs on security)
Botnet
Account takeovers
Sensitive Data
Virtual Currency
Extortion
InfrastructureiTunes & Amazon- $8-$10Facebook- $2-$5Alibaba- $50-$250Bank Login- $20-$250Merchant Login- $100-$1,000
$100-$200 per day for DDOS$250- $1,000 for Bot Logs
$50-$250 for Ransomware$300+ for Encrypted Contents$20k+ for Domains/Websites$350- $500 for TDOS Ransom
$20-$50 per Month for Proxy Service$5-$10 per Command ShellAttack & Coms Servers$1,000+ Compromised VOIP Servers
$10-$20 for PII Bio Info $100-$250 for Photos$20k+ for Intellectual Property$2-$50 for Dumps $2-$20 for CC’s
Bitcoin, WebMoney, PerfectMoney, WOW Accounts, Etc$10 - $10MM
Dumps & PinsFinancial Institution Access
Employee Accounts
Not for Sale
© 2014 First Data Corporation. All Rights Reserved.
Utilizing stolen credentialsThere is value beyond PCI and PII data…
Employee Personal computer
General internet use
Machine compromised w/
Malware
Work computer
© 2014 First Data Corporation. All Rights Reserved.
Four Key Cyber Assets Targeted by Criminals
POS Environments• 49% of POS
intrusions account for 40% of all assets targets.
• If a POS is attacked, it is most likely the business will be US based.
Credit Cards• 49% of breach
investigations involved Personally Identifiable Information (PII) and cardholder data.
• Attackers shifted focus back to payment card from non- payment card.
eCommerce• Accounted for
42% of all investigations in 2014.
• 64% of retail industry breaches were eCommerce
• “Password1” was still the most commonly used password.
Mobile Apps• 95% of mobile
applications are vulnerable.
• 35% of mobile apps had critical issues
• 45% of mobile apps had high-risk issues.
• 6: Median number of vulnerabilities per mobile app.
SOURCE: 2015 TrustWave Global Security Report.
© 2014 First Data Corporation. All Rights Reserved.
Attacking retail payment systems While relationships and networks vary significantly, this slide provides an overview of transaction processing and identifies some of the primary points of risk in the process.
Card Brand
Issuing Bank
ProcesserMerchant
Payment Gateway
Primary Risk Vectors
Network Intrusion Compromised Login
POS Intrusion Compromised Merchant #
Web App Vulnerabilities Fraudulent Alt Merchant
Hardware Attacks Offline Processing
Acquiring Bank
Primary Risk Vectors
Database Manipulation Attacks
Compromised Control Panels
Acquiring Bank Account Takeover
Cybercrime trends: skimmers vs. scrapers
Skimmers
Skimmers, hardware and other physical methods rely on manual retrieval and dispersal methods, limiting the number of potential victims.
Scrapers
Criminals inject RAM Scraper malware to create POS botnets, compromising multiple POS networks.
Over the last 10 years, cybercrime trends has changed dramatically – from individuals using low cost skimming devices that cost less then $200 to a more sophisticated cybercrime ecosystem leveraging malware.
© 2014 First Data Corporation. All Rights Reserved.
Targeting payment hardwareOverlay style skimmers are remain popular, but increasingly criminals are altering “legitimate” devices by inserting malicious hardware/software to capture data.
© 2014 First Data Corporation. All Rights Reserved.
Targeting payment hardwareMass produced, high quality skimming gear leverages cheap 3d printing and outsourced manufacturing to counter security improvements. The photos include both a pricing model and proof of life photos.
Malware growth…frighteningMalware (malicious software) is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems. Year-over-year growth from 2011 to 2013 is over 300%.*
* The past 2 years have witnessed a dramatic increase in the creation of new malware. Every day over 200,000 new malware programs are created.Source: AV TEST GmbH
Malware everywhere…what we see
Web70% of organizations have
experienced a web-born malware infection this past year.
Email75% of an organizations
inbound e-mail is spam. 10% of that is malicious.
NetworkOpen remote access ports and
default passwords allow 47% of remote data breaches.
AppseCommerce sites are the #1 targeted asset for hackers.
POSPOS breaches account for billions in fraud each year.
EndpointMobile malware has grown by 400%.
Your data
CC#s IP PII
© 2014 First Data Corporation. All Rights Reserved.
Common POS Malware
• Alina• A family of PoS malware that targets applications containing Track data, applies basic
encryption and exfiltrates the information.
• This malware has a command & control structure, which allows it to search for and install automatic updates when they are released.
• Backoff PoS• BlackPoS is a RAM scraper, or memory-parsing software, which grabs encrypted
data by capturing it when it travels through the live memory of a computer, where it appears in plain text.
• Chewbacca• Chewbacca appears to have been a short-lived malware designed to attack PoS
systems and exfiltrate data over TOR. The malware itself has been well documented.
© 2014 First Data Corporation. All Rights Reserved.
Common POS Malware
• Decebal• Romanian PoS malware released on January 3, 2014.
• It is written in Visual Basic Script and is capable of checking to see if the computer on which it’s deployed is running any sandboxing or reverse engineering software.
• Decebal can also validate that the stolen payment card numbers are legitimate.
• Dexter• First discovered in December 2012, Dexter is a custom made malware tool used to
infect point of sale systems.
• According to Seculert, Dexter steals the process list from the infected machine, while parsing memory dumps of specific POS software related processes, looking for Track 1 / Track 2 credit card data.
© 2014 First Data Corporation. All Rights Reserved.
Common POS Malware
• FighterPoS• FighterPOS is a full-featured piece of malware, carefully developed using strong
encryption. It supports multiple ways to talk with its C&C infrastructure.
• Its keylogging capabilities allow for DDoS attacks and gaining full control of victim machines.
• This one-man operation has been able to steal more than 22,000 unique credit card numbers
• JackPoS• The malware is sometimes disguised as the Java Update Scheduler.
• The bad actors have used some sophisticated scanning, loading, and propagating techniques to attack these vectors to look to get into the merchants system thru external perimeters and then move to card processing areas, which were possibly not separated in compliance with PCI polices.
© 2014 First Data Corporation. All Rights Reserved.
Common POS Malware
• LogPOS• LogPOS avoids a traditional detection mechanism of scanning files for unencrypted
credit card information by instead writing to a mailslot.
• NewPosThings• It operates similarly to other PoS malware by memory scraping processes looking for
credit card track data and then exfiltrating the spoils to a command and control (C2) server.
• Based on compilation times, it has been in active development since at least October 20, 2013—with the latest timestamp being August 12, 2014.
• Find/Poisidon• When functioning, the malware searches memory for credit card track data and
verifies any logged numbers through the Luhn algorithm
© 2014 First Data Corporation. All Rights Reserved.
Common POS Malware
• Punkey• Punkey appears to have evolved from the NewPOSthings family of malware.
• Punkey self-identifies its version. Three unique versions have been discovered.
• vSkimmer • vSkimmer was disclosed by McAfee in March 2013.
• vSkimmer searches program memory for track data; however, it only looks for data matching Track 2 format.
• In addition to using HTTP to exfiltrate stolen data to a C2 server, vSkimmer can be configured to copy data to a specific USB device if it is unable to connect to the Internet. vSkimmer dumps its stolen data to a log file on a USB drive with a certain volume name.
© 2014 First Data Corporation. All Rights Reserved.
Keystroke loggers & memory scrapers…
© 2014 First Data Corporation. All Rights Reserved.
Data compromiseWhile the number of compromised financial records and incidents may not have set historical highs in 2013, the increased level of perpetrators’ sophistication coupled with customer information compromises has led to increased fraudulent use of compromised data.
2005 2006 2007 2008 2009 2010 2011 2012 2013 20140
50,000,000
100,000,000
150,000,000
200,000,000
250,000,000
Number of Records Compromised
2005 2006 2007 2008 2009 2010 2011 2012 2013 20140
100
200
300
400
500
600
700
Number of Compromises
Identity Theft Resource Center; www.idtheftcenter.org
© 2014 First Data Corporation. All Rights Reserved.
Data compromiseTaking action
• Authenticate in all channels consumer interactions• Online, over the phone and in person
• Consumer education and empowerment• How you will communicate with customers/members
• Consumers should protect their personal information!
• Have a plan to execute• Set your risk tolerance
• Define thresholds for treatment, when to monitor, when to reissue and how to accomplish
• Know your network – where to research and how to stay informed
• Internal employee responsibility and readiness
© 2014 First Data Corporation. All Rights Reserved.
Card Not Present fraud continues to riseCard not present fraud dollar loss continues to rise and brings with it, an increased threat to losses and the cardholder experience…
Q1 2012
Q2 2012
Q3 2012
Q4 2012
Q1 2013
Q2 2013
Q3 2013
Q4 2013
Q1 2014
$-
$1,000,000
$2,000,000
$3,000,000
$4,000,000
$5,000,000
$6,000,000
$7,000,000
$8,000,000
$9,000,000
Gross Fraud
Net Fraud
Recovery rate averaged:78.3% in 201274.7% in 2013
64.4% Q1 2014
2012-2014 First Data Fraud Back Office Outsourcing
© 2014 First Data Corporation. All Rights Reserved.
EMV OVERVIEW
© 2014 First Data Corporation. All Rights Reserved.
HOW EMV WORKS
© 2014 First Data Corporation. All Rights Reserved.
EMV TIMELINES
April 1, 2013 – First Data Deadline• Acquirer processors and sub-
processors must certify support for and accept Visa EMV chip contact and contactless transactions
October 1, 2015• Liability shift for counterfeit POS
fraud will be assessed to merchants not accepting EMV transactions
October 1, 2017• Liability shift applies to Petro
Merchants
© 2014 First Data Corporation. All Rights Reserved.
The U.S. EMV migrationChanging the payments landscape & consumer interaction
• Collaborate; EMV deployment is a team effort• Ensure all departments are included in the EMV roll out
• Chip configurations such as online and offline limits, PIN settings, etc. should be understood and created collaboratively by all
• Leverage forums, conferences and industry networking opportunities
• Learn from those outside of the U.S.
• Know and defend the shift in fraudulent use• Card Not Present (CNP) and Mail Order/Telephone Order (MOTO)
• Review Card Not Present (CNP) activity closely
• Leverage tools such as Verified by Visa / MasterCard SecureCode
• Consider use of VCAS or RiskFort for less friction
• Account Take Over (ATO)
• Regularly review Critical Non-Monetary activity for potential ATO fraud
© 2014 First Data Corporation. All Rights Reserved.
The U.S. EMV migration Current StatusAs of July 2015
• According to Visa• 295,000 (3.7%) Of North American Card Accepting locations are enabled for Chip
Card Acceptance
• 36,663 ATMs, about 7% of the estimated 535,800 bank and retail ATMs in the U.S., can now read EMV chip cards
• Lessons from other countries implementing EMV• On average it takes three years after the liability shift before 90% of payment card
transactions were “chip-on-chip,” generated by an EMV card used at an EMV terminal.
© 2014 First Data Corporation. All Rights Reserved.
Thank you.