Charles Leaver – Marriott Could Have Prevented Their Point Of Sale Breach With Continuous Endpoint Visibility

Written By Andy Wilson And Presented By Ziften CEO Charles Leaver

US retail outlets still appear an appealing target for cyber criminals looking for credit card data as Marriott franchisee White Lodging Services Corp announced a data breach in the Spring of 2015, impacting consumers at 14 hotels across the nation from September 2014 to January 2015. This event follows White Lodging suffered a comparable cyber attack in 2014. The attackers in both cases were reportedly able to jeopardize the Point-of-Sale systems of the Marriott Lounges and Restaurants at a number of locations run by White Lodging. The cyber criminals were able to acquire names printed on consumers’ credit or debit cards, credit or debit card numbers, the security code and card expiration dates. POS systems were likewise the focus of recent breaches at Target, Neiman Marcus, Home Depot, and more.

Traditionally, Point-of-Sale (or POS) systems at lots of USA retail outlets were “locked down” Windows devices running a minor set of applications tailored towards their function – phoning the sale and processing a deal with the Charge card bank or merchant. Modern Point of Sale terminals are basically PC’s that run email applications, internet browsers and remote desktop tools in addition to their transaction software applications. To be reasonable, they are usually released behind a firewall program, however are still ripe for exploiting. The best defenses can and will be breached if the target is valuable enough. For example, remote control tools used for management and updating of the POS systems are frequently hijacked by hackers for their purposes.

The credit card or payment processing network is an entirely different, air-gapped, and encrypted network. So how did cyber attackers manage to take the payment card data? They stole the data while it was in memory on the POS terminal while the payment procedure was being conducted. Even if retailers don’t store charge card information, the data can be in an unencrypted state on the Point of Sale machine while the payment deal is confirmed. Memory-scraping POS malware such as PoSeidon, FindPOS, FighterPOS, and PunKey are utilized by the data thieves to gather the credit card info in its unencrypted state. The data is then normally encrypted and retrieved by the cyber attackers or sent to the Internet where it’s retrieved by the thieves.

Ziften’s service provides constant endpoint visibility that can discover and remediate these kinds of risks. Ziften’s MD5 hash analysis can spot new and suspicious processes or.dll files running in the POS environment. Ziften can also kill the procedure and collect the binary for further action or analysis. It’s also possible to spot POS malware by alerting to Command and Control traffic. Ziften’s integrated Threat Intel and Customized Risk Feed options allows customers to notify when Point of Sale malware communicates to C&C nodes. Finally, Ziften’s historical data enables clients to kick start the forensic evaluation of how the malware got in, what it did after it was set up, and executed and other machines are contaminated.

It’s past time for retailers to step up the game and search for brand-new solutions to secure their consumers’ payment cards.


Leave a Reply

Your email address will not be published. Required fields are marked *