Earlier this month the FBI was forced to issue yet another private malware warning to companies in the US after a new attack campaign against a restaurant chain. The cyber incursion against the unnamed firm is the latest in a string of targeted attacks on Point of Sale (POS) systems dating back to the massive Target breach in 2014, taking advantage of a major blind spot in many organizations’ cyber defences: privileged accounts.
Firms on both sides of the Atlantic have to get better at protecting access to their most sensitive data, and that needs to start with privileged users inside trusted third party organisations.
The spike in attacks against Point of Sale systems is happening mainly in the United States, because the country’s businesses are by and large still using magstripe cards, rather than chip and PIN. If a malware attack is successful these systems can provide attackers with access to huge volumes of plain text card data stored in the RAM of POS systems. This data is subsequently sold on dark net trading sites and ultimately used to clone cards for follow –up identify fraud.
While the UK doesn’t have the same kind of problem with POS malware yet, the lessons learned from this string of attacks are worth noting for IT security bosses everywhere.
Privileged account problems
In many of the incidents seen thus far, hackers have infiltrated POS systems via third party providers, by stealing privileged account log-in details for remote access tools like Microsoft Remote Desktop, LogMeIn and Apple Remote Desktop. In the case of Target, it famously turned out to be a refrigeration and air conditioning partner business which was hacked. In the case of sandwich chain Jimmy John’s, where 216 stores were impacted last year, it was “login credentials for a third party service provider’s remote access account” that were nabbed.
Why privileged accounts? Because they quite literally represent the keys to the kingdom for hackers: direct access to exactly the data they’re looking for without the time-consuming process of having to escalate privileges. What’s more, privileged or admin accounts are very often monitored less frequently than regular accounts, meaning attackers have a much better chance of getting in and out undetected.
In the case of many recent POS incidents, it’s been the privileged accounts of third party partners and suppliers that have been targeted, adding another dimension to the attacks. Firms must not only consider investing in new access control systems to better protect their privileged accounts but also hold the entire supply chain to the same high account.
Osirium’s Privileged User Management technology can help here by ensuring log-in credentials never pass through the user’s system. If there are no usernames and passwords to steal in the first place, it makes targeted attacks extremely difficult for the hackers. In addition, our Privileged Session Management platform allows managers to record, store and playback any activity on privileged accounts – further enhancing security and compliance and deterring sysadmin malpractice.
Best practice check list
Here are a few tips to fortify your POS environment from the kind of attacks we’ve seen with such alarming regularity over the past 12 months. In fact, even for firms which don’t run POS systems, the lessons should hold true for any company which grants remote network access to trusted third parties.
- Do your due diligence before hiring any supplier. Ensure access controls meet a high standard
- Maintain security going forward with regular audits of third party access systems.
- Consider technologies like Osirium Privileged User Management which hide access credentials from the user so they can’t be stolen or misused
- Operate the principle of “least privilege” to minimise the number of accounts which could be targeted