© 2014 First Data Corporation. All Rights Reserved. © Copyright 2014 | First Data Corporation Rick Van Luvender Limiting Your Exposure Cyber Security

© 2014 First Data Corporation. All Rights Reserved.© Copyright 2014 | First Data Corporation

Rick Van Luvender

Limiting Your Exposure

Cyber Security

Small businesses and securityTop four most common misconceptions

1. Trustwave SpiderLabs, Trustwave Global Security Report 2012

“I don’t need it”Even though 90% of all data breaches target small merchants, many business owners don’t put much thought into their day-to-day security.1

“I’m not liable” If a breach were to happen, you could very well be liable for the costs.

“Nothing has happened yet”

The likelihood of a data breach is greater than you may think, and the consequences can be catastrophic.

“I’m already protected” Your current payment processing may not fully protect your payment data from the moment a card is swiped.

Misconception Reality

2

Business impact of a data breach

Investigation of Breach

Loss of Confidential

Business Information

Fines/Liability

Remediation of Breach

Reputational Risk: damage to your brand

Plus

If your business is impacted by a data breach, your business could suffer significantly.

3

Copyright 2009 First Data Corporation. All Rights Reserved. 4

PCI DSS Levels

Merchant Level 1

Merchant Level 2

Merchant Level 3

Merchant Level 4

Any merchant processing over 6MM Visa or MC transactions per year (not combined transaction volume).

Any merchant processing 1MM to 6 MM Visa or MC transactions per year (not combined transaction volume).

Any merchant processing 20K to 1MM Visa or MC e-commerce transactions per year (not combined transaction volume).

Any merchant processing less than 20K Visa or MC e-commerce transactions per year and all other merchants processing up to 1MM Visa or MC transactions per year (not combined transaction volume).

Copyright 2009 First Data Corporation. All Rights Reserved. 5

Merchant Compliance ValidationLevel Validation Action Scope Validated By

1 Annual Onsite Security Audit – required

Quarterly Network Scan - required

Auth and Settlement Systems

Internet Facing Perimeter Systems

Qualified Security Assessor or Internal

Audit if signed by officer of the company

Approved Vendor

2 & 3 Annual Self Assessment Questionnaire –

required

Quarterly Network Scan - required

Any systems storing, processing or transmitting

cardholder data


Merchant / Compliance

Approved Scan Vendor

4 Annual Self Assessment Questionnaire – recommended

Quarterly Network Scan - recommended

Any systems storing, processing or transmitting

cardholder data


Merchant / Compliance

Approved Scan Vendor

Fraud Liability Shifts on October 1, 2015* • After the liability shift, if a merchant is still using the

“swipe and signature” methodology and the customer has a smartcard, the merchant is liable.1

EMV® and PCI: Notable changes in 2015

PCI - DSS 3.0 (9.9)• New Requirement: Monitoring your terminals

and POS equipment for substitution and tampering.2

1 EMVCo®

2 PCI Security Standards Council

6

© 2014 First Data Corporation. All Rights Reserved.

Verizon: 2015 data breach investigations report

Frequency of incident classificationpatterns with confirmed data breaches

The defender-detection deficit



Defender Detection Deficit




The value of a compromised systemThe chart below is loosely based on a diagram by Brian Krebs (Krebs on security)

Botnet

Account takeovers

Sensitive Data

Virtual Currency

Extortion

InfrastructureiTunes & Amazon- $8-$10Facebook- $2-$5Alibaba- $50-$250Bank Login- $20-$250Merchant Login- $100-$1,000

$100-$200 per day for DDOS$250- $1,000 for Bot Logs

$50-$250 for Ransomware$300+ for Encrypted Contents$20k+ for Domains/Websites$350- $500 for TDOS Ransom

$20-$50 per Month for Proxy Service$5-$10 per Command ShellAttack & Coms Servers$1,000+ Compromised VOIP Servers

$10-$20 for PII Bio Info $100-$250 for Photos$20k+ for Intellectual Property$2-$50 for Dumps $2-$20 for CC’s

Bitcoin, WebMoney, PerfectMoney, WOW Accounts, Etc$10 - $10MM

Dumps & PinsFinancial Institution Access

Employee Accounts

Not for Sale


Utilizing stolen credentialsThere is value beyond PCI and PII data…

Employee Personal computer

General internet use

Machine compromised w/

Malware

Work computer


Four Key Cyber Assets Targeted by Criminals

POS Environments• 49% of POS

intrusions account for 40% of all assets targets.

• If a POS is attacked, it is most likely the business will be US based.

Credit Cards• 49% of breach

investigations involved Personally Identifiable Information (PII) and cardholder data.

• Attackers shifted focus back to payment card from non- payment card.

eCommerce• Accounted for

42% of all investigations in 2014.

• 64% of retail industry breaches were eCommerce

• “Password1” was still the most commonly used password.

Mobile Apps• 95% of mobile

applications are vulnerable.

• 35% of mobile apps had critical issues

• 45% of mobile apps had high-risk issues.

• 6: Median number of vulnerabilities per mobile app.

SOURCE: 2015 TrustWave Global Security Report.


Attacking retail payment systems While relationships and networks vary significantly, this slide provides an overview of transaction processing and identifies some of the primary points of risk in the process.

Card Brand

Issuing Bank

ProcesserMerchant

Payment Gateway

Primary Risk Vectors

Network Intrusion Compromised Login

POS Intrusion Compromised Merchant #

Web App Vulnerabilities Fraudulent Alt Merchant

Hardware Attacks Offline Processing

Acquiring Bank

Primary Risk Vectors

Database Manipulation Attacks

Compromised Control Panels

Acquiring Bank Account Takeover

Cybercrime trends: skimmers vs. scrapers

Skimmers

Skimmers, hardware and other physical methods rely on manual retrieval and dispersal methods, limiting the number of potential victims.

Scrapers

Criminals inject RAM Scraper malware to create POS botnets, compromising multiple POS networks.

Over the last 10 years, cybercrime trends has changed dramatically – from individuals using low cost skimming devices that cost less then $200 to a more sophisticated cybercrime ecosystem leveraging malware.


Targeting payment hardwareOverlay style skimmers are remain popular, but increasingly criminals are altering “legitimate” devices by inserting malicious hardware/software to capture data.


Targeting payment hardwareMass produced, high quality skimming gear leverages cheap 3d printing and outsourced manufacturing to counter security improvements. The photos include both a pricing model and proof of life photos.

Malware growth…frighteningMalware (malicious software) is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems. Year-over-year growth from 2011 to 2013 is over 300%.*

* The past 2 years have witnessed a dramatic increase in the creation of new malware. Every day over 200,000 new malware programs are created.Source: AV TEST GmbH

Malware everywhere…what we see

Web70% of organizations have

experienced a web-born malware infection this past year.

Email75% of an organizations

inbound e-mail is spam. 10% of that is malicious.

NetworkOpen remote access ports and

default passwords allow 47% of remote data breaches.

AppseCommerce sites are the #1 targeted asset for hackers.

POSPOS breaches account for billions in fraud each year.

EndpointMobile malware has grown by 400%.

Your data

CC#s IP PII


Common POS Malware

• Alina• A family of PoS malware that targets applications containing Track data, applies basic

encryption and exfiltrates the information.

• This malware has a command & control structure, which allows it to search for and install automatic updates when they are released.

• Backoff PoS• BlackPoS is a RAM scraper, or memory-parsing software, which grabs encrypted

data by capturing it when it travels through the live memory of a computer, where it appears in plain text.

• Chewbacca• Chewbacca appears to have been a short-lived malware designed to attack PoS

systems and exfiltrate data over TOR. The malware itself has been well documented.


Common POS Malware

• Decebal• Romanian PoS malware released on January 3, 2014.

• It is written in Visual Basic Script and is capable of checking to see if the computer on which it’s deployed is running any sandboxing or reverse engineering software.

• Decebal can also validate that the stolen payment card numbers are legitimate.

• Dexter• First discovered in December 2012, Dexter is a custom made malware tool used to

infect point of sale systems.

• According to Seculert, Dexter steals the process list from the infected machine, while parsing memory dumps of specific POS software related processes, looking for Track 1 / Track 2 credit card data.


Common POS Malware

• FighterPoS• FighterPOS is a full-featured piece of malware, carefully developed using strong

encryption. It supports multiple ways to talk with its C&C infrastructure.

• Its keylogging capabilities allow for DDoS attacks and gaining full control of victim machines.

• This one-man operation has been able to steal more than 22,000 unique credit card numbers

• JackPoS• The malware is sometimes disguised as the Java Update Scheduler.

• The bad actors have used some sophisticated scanning, loading, and propagating techniques to attack these vectors to look to get into the merchants system thru external perimeters and then move to card processing areas, which were possibly not separated in compliance with PCI polices.


Common POS Malware

• LogPOS• LogPOS avoids a traditional detection mechanism of scanning files for unencrypted

credit card information by instead writing to a mailslot.

• NewPosThings• It operates similarly to other PoS malware by memory scraping processes looking for

credit card track data and then exfiltrating the spoils to a command and control (C2) server.

• Based on compilation times, it has been in active development since at least October 20, 2013—with the latest timestamp being August 12, 2014.

• Find/Poisidon• When functioning, the malware searches memory for credit card track data and

verifies any logged numbers through the Luhn algorithm


Common POS Malware

• Punkey• Punkey appears to have evolved from the NewPOSthings family of malware.

• Punkey self-identifies its version. Three unique versions have been discovered.

• vSkimmer • vSkimmer was disclosed by McAfee in March 2013.

• vSkimmer searches program memory for track data; however, it only looks for data matching Track 2 format.

• In addition to using HTTP to exfiltrate stolen data to a C2 server, vSkimmer can be configured to copy data to a specific USB device if it is unable to connect to the Internet. vSkimmer dumps its stolen data to a log file on a USB drive with a certain volume name.


Keystroke loggers & memory scrapers…


Data compromiseWhile the number of compromised financial records and incidents may not have set historical highs in 2013, the increased level of perpetrators’ sophistication coupled with customer information compromises has led to increased fraudulent use of compromised data.

2005 2006 2007 2008 2009 2010 2011 2012 2013 20140

50,000,000

100,000,000

150,000,000

200,000,000

250,000,000

Number of Records Compromised

2005 2006 2007 2008 2009 2010 2011 2012 2013 20140

100

200

300

400

500

600

700

Number of Compromises

Identity Theft Resource Center; www.idtheftcenter.org


Data compromiseTaking action

• Authenticate in all channels consumer interactions• Online, over the phone and in person

• Consumer education and empowerment• How you will communicate with customers/members

• Consumers should protect their personal information!

• Have a plan to execute• Set your risk tolerance

• Define thresholds for treatment, when to monitor, when to reissue and how to accomplish

• Know your network – where to research and how to stay informed

• Internal employee responsibility and readiness


Card Not Present fraud continues to riseCard not present fraud dollar loss continues to rise and brings with it, an increased threat to losses and the cardholder experience…

Q1 2012

Q2 2012

Q3 2012

Q4 2012

Q1 2013

Q2 2013

Q3 2013

Q4 2013

Q1 2014

$-

$1,000,000

$2,000,000

$3,000,000

$4,000,000

$5,000,000

$6,000,000

$7,000,000

$8,000,000

$9,000,000

Gross Fraud

Net Fraud

Recovery rate averaged:78.3% in 201274.7% in 2013

64.4% Q1 2014

2012-2014 First Data Fraud Back Office Outsourcing


EMV OVERVIEW


HOW EMV WORKS


EMV TIMELINES

April 1, 2013 – First Data Deadline• Acquirer processors and sub-

processors must certify support for and accept Visa EMV chip contact and contactless transactions

October 1, 2015• Liability shift for counterfeit POS

fraud will be assessed to merchants not accepting EMV transactions

October 1, 2017• Liability shift applies to Petro

Merchants


The U.S. EMV migrationChanging the payments landscape & consumer interaction

• Collaborate; EMV deployment is a team effort• Ensure all departments are included in the EMV roll out

• Chip configurations such as online and offline limits, PIN settings, etc. should be understood and created collaboratively by all

• Leverage forums, conferences and industry networking opportunities

• Learn from those outside of the U.S.

• Know and defend the shift in fraudulent use• Card Not Present (CNP) and Mail Order/Telephone Order (MOTO)

• Review Card Not Present (CNP) activity closely

• Leverage tools such as Verified by Visa / MasterCard SecureCode

• Consider use of VCAS or RiskFort for less friction

• Account Take Over (ATO)

• Regularly review Critical Non-Monetary activity for potential ATO fraud


The U.S. EMV migration Current StatusAs of July 2015

• According to Visa• 295,000 (3.7%) Of North American Card Accepting locations are enabled for Chip

Card Acceptance

• 36,663 ATMs, about 7% of the estimated 535,800 bank and retail ATMs in the U.S., can now read EMV chip cards

• Lessons from other countries implementing EMV• On average it takes three years after the liability shift before 90% of payment card

transactions were “chip-on-chip,” generated by an EMV card used at an EMV terminal.


Thank you.

Documents

© 2014 First Data Corporation. All Rights Reserved. © Copyright 2014 | First Data Corporation Rick Van Luvender Limiting Your Exposure Cyber Security