On August 22, the United States Computer Emergency Readiness team, or US-CERT, updated its alert indicating that over 1,000 businesses may have been affected by malware that has targeted their point-of-sale (PoS) systems for processing customer payments.

The malware, unofficially dubbed “Backoff”, has been deployed in several variations, and it has allowed criminals to steal consumer payment information. The variations of Backoff malware have been observed as far back as October 2013 and continue to operate as of July 2014, meaning that consumer credit and debit card numbers and other personal data have already been compromised and are at continued risk.

According to the Secret Service, numerous network intrusions have occurred in the U.S., where seven PoS systems vendors have confirmed that they have had multiple clients affected. The security breaches have involved private sector businesses of all sizes, and the malware has been witnessed in at least three separate forensic investigations.

In this case, investigations have revealed that attackers are using publicly available tools to identify businesses that use remote desktop applications to connect to their computers from a remote location. Once they locate these businesses and the applications they use, the criminals use brute force attacks against the remote access login to gain access to administrator accounts. Once they have privileged access, they are able to deploy the malware and begin to steal payment information.

The theft of consumer payment data has involved several mechanisms:

• Scraping computer memory for “track data” from the magnetic stripe of credit, debit, or stored-value cards
• Logging keystrokes on the infected systems to steal additional data and confidential information
• Commanding and controlling infected systems so they can upload data with encryption to maintain secrecy, update the malware, and download and install additional malware
• Injecting additional malicious code to ensure that the malware keeps running or reboots if the malware crashes or is forcibly stopped.

All of these are core features of point-of-sale malware, which has become an increasingly common threat to retailers. Target Corporation became the most infamous victim of PoS malware late last year when approximately 40 million payment card accounts were compromised in a span of just three weeks.

In the Target incident, an email malware attack was used to steal the network login credentials that Target had issued to an HVAC vendor. By stealing those credentials and using them to gain access to the Target network, attackers were able to deploy similar point-of-sale malware that scraped computer memory to steal consumer payment card data from thousands of check-out registers.

Address the Root Cause: Eliminate Password-based Network Logins

The Target case and the developing “Backoff” investigation point to a common vulnerability in network security that attackers exploit. These attacks are made possible because businesses, their employees, and their vendors use passwords and other sensitive credentials to log into company assets, whether those assets are remote access applications or simply company websites and networks.

This opens up numerous possibilities for attackers to compromise user accounts through brute force, hacking, phishing, malware, and other methods. They can use brute force and software automation to “guess” a correct ID and password combination, use phishing to trick users into sharing their credentials, or use malware, SQL injection, or other tools to steal credentials as they are entered or when they are transmitted.

Once attackers can gain access to just one user account, particularly if it allows administrative access, they may be able to compromise a company network and use it to deploy malware on a large scale across all of its PoS systems.

This is a nightmare scenario for any business, but it is remarkably easy to prevent by upgrading your login security and replacing password-based logins with an authentication method that relies on public key infrastructure rather than the entry, transmission, and storage of sensitive credentials.

Using the same cryptography principles that Target will deploy in the future with smart cards and chip-and-PIN technology to protect payment information, you can use public key infrastructure to provide a two-factor authentication method that will make it impossible for attackers to steal a user’s credentials and use them to access your network or deploy PoS malware.

Deploying PKI-based Authentication with SecSign ID

SecSign Technologies, a subsidiary of SecCommerce, which pioneered chip-and-PIN smart card solutions in Germany, has created a solution called SecSign ID, which enables quick yet completely secure authentication that eliminates the use of passwords and other sensitive credentials that enables and invites criminal attacks.

SecSign ID allows users to securely access your network by using a simple web- or application-based login and mobile authentication. The authentication method is based on the principle of knowledge and possession, which is the basis for smart card security.

Using encrypted key pairs, with one stored securely on the authentication server and another on the user’s mobile device, SecSign ID requires the user to have physical possession of his or her mobile device and to verify his or her identity and rightful ownership of the private key through knowledge or biometrics.

After entering a simple, non-confidential user ID in the web- or app-based login for your network, the user receives an instant notification on the mobile device through the free SecSign ID mobile app. This allows the user to open the app, tap on the user ID, and then enter a PIN or passcode in the app or use Apple’s Touch ID fingerprint scan to verify identity.

Passwords are not required, and sensitive credentials are never entered through the login mechanism and are never stored on a server. Thus, there are no credentials for attackers to steal through brute force, hacking, phishing, or malware. SecSign ID physically eliminates the possibility of these attacks compromising your user accounts. And, even if the user’s mobile device is lost or stolen, the encrypted private key stored on the device is protected by a patented SafeKey mechanism, which protects it from brute force attack.

Implementing this approach will also ensure that your business is compliant with section 8.3.a of the current Payment Card Industry (PCI) data security standard, which requires merchants to use two-factor authentication for all remote network access originating from outside the network by personnel and all third parties.

Payment Card Industry Data Security Standard 8.3.a:

Examine system configurations for remote access servers and systems to verify two-factor authentication is required for:

• All remote access by personnel
• All third-party/vendor remote access (including access to applications and system components for support or maintenance purposes)

More importantly, however, deploying two-factor authentication with public key infrastructure can help your business achieve security that surpasses compliance requirements and mitigates critical risks that the PCI standard does not address.

For example, PCI requires two-factor authentication only for remote network access, but, with SecSign ID, the same security can protect on-premise authentication, ensuring that all user access is secured with powerful cryptography and identity verification that makes it virtually impossible for criminals to compromise your user accounts.

This also helps mitigate another risk that PCI requirements do not address, which is the use of the same network to handle payment and non-payment operations. According to Avivah Litan, as cited in an analysis by Krebs on Security, “the current PCI standard does not require organizations to maintain separate networks for payment and non-payment operations.”

Without this separation, attackers may find it much easier to steal consumer payment information because all operations are conducted on a single network, and they only need to compromise this single target. However, with SecSign ID, the original vulnerability that enables unauthorized access to networks is eliminated. Attackers cannot exploit passwords or other credentials to compromise user accounts, so they cannot use those accounts to access any company network, whether it is separate or not and regardless of whether it contains payment or non-payment operations.

This also means that, even if anti-malware or other security programs are unaware of an emerging threat and thus have no ability to detect and eliminate it, your networks will be safe and will not be at risk.

Without the ability to compromise user accounts and gain access to your networks, attackers will not be able to deploy any malware application. With SecSign ID, your networks and the payment information of your customers will be completely safe from these threats.

This can have enormous benefits in preserving and strengthening your brand while also protecting against legal liabilities and the staggering costs of addressing an embarrassing security breach after the fact.

To learn more about SecSign ID, watch this brief overview video or visit https://www.secsign.com/business/two-factor-authentication/. If you are interested in more details and in getting assistance with integrating SecSign ID for two-factor authentication to protect your business, contact the security engineers at SecSign Technologies.