Chuck Leaver – With The Marriott Point Of Sale Breach Continuous Endpoint Visibility Would Have Saved The Day

Written By Andy Wilson And Presented By Ziften CEO Chuck Leaver

US retail outlets still appear an appealing target for hackers looking for charge card data as Marriott franchisee White Lodging Services Corp confirmed a data breach in the Spring of 2015, impacting clients at 14 hotels throughout the nation from September 2014 to January 2015. This incident follows White Lodging suffered a comparable cyber attack in 2014. The attackers in both cases were supposedly able to compromise the Point-of-Sale systems of the Marriott Lounges and Restaurants at numerous locations run by White Lodging. The enemies were able to acquire names printed on clients’ credit or debit cards, credit or debit card numbers, the security code and card expiration dates. Point-of-Sale systems were likewise the focus of current breaches at Target, Neiman Marcus, Home Depot, and others.

Typically, Point-of-Sale (or POS) systems at numerous United States retail outlets were “locked down” Windows computers running a small set of applications tailored toward their function – calling the sale and processing a transaction with the Credit Card merchant or bank. Modern POS terminals are essentially PC’s that run email applications, web browsers and remote desktop tools in addition to their transaction software applications. To be reasonable, they are often released behind a firewall, but are still ripe for exploiting. The best defenses can and will be breached if the target is valuable enough. For example, push-button control tools used for management and upgrading of the Point of Sale systems are often pirated by hackers for their purposes.

The payment card or payment processing network is a totally separate, air-gapped, and encrypted network. So how did cyber attackers manage to steal the charge card data? They stole the data while it remained in memory on the Point of Sale terminal while the payment process was being performed. Even if merchants don’t store credit card details, the data can be in an unencrypted state on the POS device while the payment transaction is validated. Memory-scraping Point of Sale malware such as PoSeidon, FindPOS, FighterPOS, and PunKey are used by the data burglars to harvest the charge card details in its unencrypted state. The data is then normally encrypted and recovered by the hackers or sent out to the Internet where it’s obtained by the burglars.

Ziften’s system supplies constant endpoint visibility that can find and remediate these kinds of hazards. Ziften’s MD5 hash analysis can find new and suspicious processes or.dll files running in the Point of Sale environment. Ziften can also eliminate the procedure and collect the binary for further action or analysis. It’s also possible to discover Point of Sale malware by alerting to Command and Control traffic. Ziften’s integrated Risk Intel and Custom-made Threat Feed options enables consumers to notify when POS malware talks to C&C nodes. Finally, Ziften’s historic data enables customers to begin the forensic examination of how the malware got in, what it did after it was installed, and executed and other machines are infected.

It’s past time for sellers to step up the game and search for brand-new services to protect their customers’ payment cards.