In the last few years, millions of consumers have had their personal details stolen by criminal syndicates in sophisticated cyber-attacks on retail chains. Retailers are tempting targets for these gangs, since the valuable material - the credit card numbers and identity data - is available in large numbers.
POS terminals are often just outdated Windows PCs, frequently used for book-keeping and Web browsing, making an attacker's task that much simpler.
Some attacks on US retailers have been in the news, but South African organisations have also been targeted, and will continue to come under fire. New trends in online retailing are only making matters worse, as the attackers move on to new victims. The big story was Target, the second largest US-based discount retailer, but the runaway leader in terms of data loss. Over the course of several months at the end of 2013, attackers captured data for an estimated 120 million Target customers, including the credit card data of some 40 million. South Africa has a total population of just over 50 million, for comparison. Neiman Marcus, another retail chain, was exploited over the same time period, losing 1.1 million customer records.
But it's not only overseas companies being attacked. In 2013, several restaurant chains in South Africa were targeted, with KFC hit particularly hard. Across the country, hundreds of thousands of customers were affected, with losses estimated to reach tens of millions of rands. The banks absorbed most of the damage, but what goes around comes around: the consumer ultimately pays the price. "There's not a single bank that hasn't been affected," Walter Volker, CEO of the South African Payments Association, told Bloomberg at the time. In 2012, local payment processor PayGate was hacked, potentially leaking thousands of cards.
Although every attack is different, the current wave of attacks has focused on planting malicious software in point-of-sale (POS) terminals at retail outlets. In the case of Target and Neiman Marcus, a specific strain of malware known as BlackPOS was used. The software scraped credit card details out of the volatile memory of the POS terminals, uploading it in bulk to central servers under control of the attackers. In the case of Target, those servers operated inside the company's network, hinting at the true depth of the attack.
In South Africa, the syndicate used similar POS terminal malware, known as Dexter, with customised variants created to thwart detection. Dexter has been seen in the wild since 2012: like many high-profile malicious software packages, it is actively developed by professional malware authors and sold on the black market.
Organised crime
POS systems are popular targets not just because the data is readily available, but the vulnerabilities are compounded by unsafe practices within many retailers, particularly smaller operations. POS terminals are often just outdated Windows PCs, frequently used for book-keeping and web browsing, making an attacker's task that much simpler.
The high-profile organised crime activity is a comparatively recent development, but POS systems have been under attack for many years. In 2005, Albert Gonzalez, an American hacker with Russian criminal friends, went on a three-year crime spree, stealing more than 170 million credit card details. His preferred target was retailers, often attacking their vulnerable systems via open wireless networks. Among his many victims was none other than Target Corporation, where the attack of 2013 must have been the worst sort of d'ej`a vu. Gonzalez was finally caught in 2008 after getting sloppy, and is now serving 20 years in jail.
The payment card industry specifies stringent security practices for card handling, with its requirements published (and frequently updated) via the PCI DSS (payment card industry data security standard) framework. Many of the organisations targeted have been fully PCI-compliant, though, which raises questions about whether the industry is keeping up with the threat landscape.
Damage control
In particular, the banks feel the burn when these attacks occur, since they're ultimately liable for fraud suffered by card holders. As a result, the fraud detection and mitigation processes in place are highly effective: while attacks may result in widespread loss of data, the actual financial impact is minimised.
However, the long-term risk of fraud and identity theft from personal data stolen in these breaches is another kettle of fish, and while SA has yet to see the full impact of identity theft syndicates, it is a thriving business in the developed world and only a matter of time until we start to feel the effects.
The whole world's going mobile-crazy, and retail is right up there. Mobile payment systems, particularly mobile point of sale (mPOS), is a growing niche, with tools like Square allowing anyone with a smartphone to process card payments. Locally developed Thumbzup is a smartphone payment device created for the local market, with Absa already on board, co-branding it as the Payment Pebble. Attackers won't be far behind, unfortunately: Jon Butler and Nils, two highly regarded security researchers at MWR Infosecurity, have already demonstrated working attacks against a number of mPOS systems. Malware toolkits targeting mobile platforms are also on the rise, so the migration of POS malware into the mobile space is almost certainly inevitable.
There are two areas of concern to the consumer. The most immediate threat is credit card fraud, with criminals cloning cards and making purchases or emptying bank accounts. That risk is common but relatively low: the banks are able to detect and block suspect transactions, and you can scrutinise your own transaction history for anomalies and request SMS alerts. Look after your credit card, and you can minimise the risk.
The deeper threat, less common but of higher risk, is full-blown identity theft. When Sanral's e-toll database was hacked earlier this year, security researchers pointed out that leaking bank details was actually not the major concern, it was the full access to users' physical addresses, ID numbers, and other personal data that would tempt an attacker: everything you need to clone an identity. And that is much harder to protect. If you're giving that sort of information to a vendor, online or not, think carefully about the trust relationship involved.
First published in the March 2014 issue of ITWeb Brainstorm magazine.
Share