If Continuous Endpoint Visibility Was In Place Then Marriott Could Have Avoided POS Attack – Charles Leaver

By | February 4, 2016

Written By Andy Wilson And Presented By Ziften CEO Charles Leaver

United States retail outlets still appear an attractive target for cyber criminals seeking charge card data as Marriott franchisee White Lodging Services Corp confirmed a data breach in the Spring of 2015, affecting clients at 14 hotels across the country from September 2014 to January 2015. This incident comes after White Lodging suffered a comparable breach in 2014. The attackers in both cases were supposedly able to compromise the Point-of-Sale systems of the Marriott Lounges and Restaurants at a number of locations run by White Lodging. The enemies were able to obtain names printed on consumers’ credit or debit cards, credit or debit card numbers, the security code and card expiration dates. Point-of-Sale systems were likewise the target of recent breaches at Target, Neiman Marcus, Home Depot, and others.

Traditionally, Point-of-Sale (or POS) systems at many United States retail outlets were “locked down” Windows computers running a small set of applications tailored towards their function – phoning the sale and processing a deal with the Credit Card merchant or bank. Modern POS terminals are essentially PC’s that run email applications, web browsers and remote desktop tools in addition to their transaction software. To be reasonable, they are often released behind a firewall program, however are still ripe for exploit. The very best defenses can and will be breached if the target is valuable enough. For example, push-button control tools used for management and upgrading of the POS systems are typically pirated by hackers for their purposes.

The payment card or payment processing network is a completely different, air-gapped, and encrypted network. So how did hackers manage to steal the payment card data? They stole the data while it was in memory on the Point of Sale terminal while the payment process was being conducted. Even if retailers do not store charge card information, the data can be in an unencrypted state on the Point of Sale machine while the payment transaction is verified. Memory-scraping POS malware such as PoSeidon, FindPOS, FighterPOS, and PunKey are used by the data thieves to gather the charge card details in its unencrypted state. The data is then normally encrypted and recovered by the cyber attackers or sent out to the Web where it’s retrieved by the thieves.

Ziften’s system provides constant endpoint visibility that can find and remediate these kinds of dangers. Ziften’s MD5 hash analysis can detect brand-new and suspicious processes or.dll files running in the POS environment. Ziften can likewise kill the procedure and collect the binary for additional action or analysis. It’s likewise possible to discover POS malware by notifying to Command and Control traffic. Ziften’s integrated Risk Intel and Customized Threat Feed alternatives enables consumers to alert when POS malware communicates to C&C nodes. Lastly, Ziften’s historic data permits clients to begin the forensic evaluation of how the malware got in, what it did after it was set up, and executed and other machines are contaminated.

It’s past time for sellers to step up the game and look for brand-new solutions to protect their consumers’ payment cards.


Leave a Reply

Your email address will not be published. Required fields are marked *