Encryption! Gotta love it! It makes paying for things so easy, and secure… Most of the time.
You swipe your card when you buy a t-shirt, gas up your car, or whatever else you do with your plastic. Then, your sensitive, (hopefully) encrypted payment data gets fed into a Point-of-Sale (PoS) system, decrypted in the PoS’s RAM for processing, and you’re good to go.
Except when you’re not. And that gets us to PoS malware and its latest victim, the clothing store Forever 21.
Forever 21, based in Los Angeles, announced on Tuesday that an unidentified third party told the clothier that there may have been unauthorized access to data from payment cards that were used at certain stores.
Forever 21 began an investigation of its payment card systems, brought in a security and forensics firm to help out, and informed customers.
The retailer doesn’t appear to know much, including whether or not anybody’s payment data were actually compromised. But unlike many outfits that get hit with a data breach, the company actually gave us a tiny bit of detail about what’s been going on with encryption in its PoS devices.
Apparently, Forever 21 implemented its current encryption and tokenization solutions in 2015. However, it says that the encryption of some PoS devices in some Forever 21 stores wasn’t in operation. The retailer didn’t say when the encryption was nonfunctional, but the investigation is focusing on card transactions that took place between March and October 2017.
It’s too early to give out more details than that, Forever 21 says, but it expects to provide further information on the specific stores and timeframes that may have been involved as the investigation continues. It runs 815 stores in 57 countries, so this could well be a widespread breach.
Forever 21 says it’s “always advisable for customers to closely monitor their payment card statements.” If you see a fishy charge, immediately notify the bank that issued the card. Generally, you won’t be held responsible for any fraudulent charges.
SophosLabs has analyzed the various types of PoS crimeware over the years. In 2013, SophosLabs discovered what was then the highly prevalent Citadel crimeware targeting PoS systems.
The Citadel malware was using screen captures and keylogging instead of the RAM-scraping technique used by another PoS malware, Trackr.
It’s far from surprising that somebody chose to zero in on Forever 21. Retailers are one of the most targeted industries, right up there with service, healthcare, food services, education, and hotel/tourism.
That makes sense: if you want to get money, you rob a bank. If you want to rip off credit and debit cards, you go where there’s a ton of transactions taking place and there are goldmines of payment data that can be harvested – as ex-SophosLabs researcher Numaan Huq pointed out when he took a deep dive into PoS RAM scraper malware and how it works.
Compromising a single PoS system (e.g. in a fast food outlet) may yield thousands of credit cards per week, cheaply – much easier to gather 10,000 credit card details from one PoS system then attempt to infect 10,000 PCs, hoping to grab the data from there.
If not protected properly, PoS systems become easy targets, Huq said: ” a single point of failure that can affect thousands of people.”
One example: in September 2014, a PoS vendor lost a user name and password used to remotely access its systems. 324 US restaurants were breached as a result.
What to do if you’re a customer? Keep an eye on your credit card and bank statements, like Forever 21 advised, absolutely. And if you’re a vendor who’s outsourced payment card processing? It’s worth reiterating the advice that Naked Security’s Paul Ducklin has previously offered:
PoS vendors who insist on remote access to your network should be able to answer at least the following questions to your satisfaction:
- What technology they use (e.g. RDP).
- How they secure it (e.g. with two-factor authentication).
- Who has access (e.g. vetted support technicians only).
- What they use it for (e.g. installing updates).
- How they keep access to your network separate from other customers.
- How access by their staff is reviewed (e.g. what they do with the logs).
- How quickly you will be told if irregularities are spotted.
Don’t be afraid to ask. You’re handing over the keys to your commercial kingdom, Paul points out. The least you can expect is informative, educational answers.