Payment card attacks are nothing new. Cybercriminals have been targeting payment cards for more than a decade. However, there is a disturbing trend of cybercriminals discovering and leveraging novel ways to steal payment cards credentials during online transactions.
Online merchants have long espoused techniques that make online commerce safe, but that assurance is under a new level of attack. Recent advances in payment card attack sophistication up the game for cybersecurity professionals.
Protecting online commerce is always challenging, but it can be rewarding and effective. Let’s look at a few ways to stay at least one step ahead of emerging payment card threats.
Understanding payment card threats
Using someone else’s payment card to steal funds is an attack that has existed as long as payment cards. In the beginning, merchants would use a mechanical device to make an impression of the raised payment card numbers into a set of carbon-copied transaction records. The customer would sign the record and take one copy. A second copy would stay with the merchant, and a third copy would go to a payment processor to settle the payment.
The early process was simple, and when the device that created payment card impressions would fail, vigorously rubbing a pen or pencil body over the card would transfer the image to the transaction record. In those days, if you could grab a payment card number and forge the owner’s signature, you could create fraudulent transactions.
When online transactions started to become more prevalent, signatures became less important; all cybercriminals needed were elements of a payment card holder’s basic information, such as card number, name and billing address. Intercepting credit card numbers wasn’t very difficult, since encryption wasn’t the norm prior to the early 2000s.
But it didn’t take long for the payment card industry to recognize the growing threat to transactions. Several of the biggest payment card industry vendors, including Visa, MasterCard, American Express, JCB International and Discover, joined forces to develop the Payment Card Industry Data Security Standard (PCI DSS). One of the many requirements of the PCI DSS is that all transmissions involving payment card data (and subsequent storage) must be encrypted.
PCI DSS increased security and upped the ante for payment card attacks, so the cybercriminals upped their game as well. Now we see a wide range of attacks that focus on intercepting, or skimming, payment card numbers and related data prior to any encryption efforts. The general idea for today’s attacks is to find creative ways to push the attack closer to the point of payment card number acquisition.
In the physical world, this led to portable and stealthy physical card skimmers. Card skimmers work by replacing a valid card reader with a device that reads the credit card data and then sends it to an attacker’s preferred repository. Sophisticated skimmers pass the data through to the intended destination to remain undetected for as long as possible. As small battery-powered skimmers became popular, unscrupulous servers at some restaurants began skimming cards with pocket skimmers before processing payment cards properly. (Of course, the vast majority of servers would never do such a thing; tip your servers well.)
That brings us to today’s payment card exploits. Online transactions do not have a physical point of contact with a payment card. Payment card information gets entered in a webpage that transmits data using strong encryption. So there are two main approaches to compromising payment card data: tricking users to give up their data, or grabbing the data before it gets encrypted and transmitted.
Tricking users involves social engineering and commonly gets carried out using phishing attacks. We’ll cover phishing attacks in another article. The other approach is electronic skimming. That’s the sweet spot for today’s skimmers. It seems that many current payment card exploits of this sort push the skimmers as close to the keyboard as possible.
Several of the more popular exploits are Magecart, point-of-sale (POS) attacks, and credential stuffing. Security Intelligence posted a nice article that covers each type of attack. In one flavor of attack, the attacker places a software skimmer within a counterfeit social media icon. Since most users trust the most common social media icons, they generally trust actions associated with clicking on an icon that appears to be familiar and trusted. Payment card attacks have come a long way, so we require a more sophisticated response to successfully combat creative attackers.
Mitigating payment card threats
The key question is not what attacks exist, but how to thwart those attacks — as well as attacks that do not yet exist. While there is no answer that is 100% effective, you can follow trusted advice from decades of security professionals to minimize your exposure to risk.
In short, implement a defense in depth strategy. Defense in depth means that every protected resource, including payment card data, has multiple security controls between the resource and the attacker. An attacker must compromise those multiple controls to access the resource.
This approach is designed for maximum attacker frustration and control redundancy. As you make your protected resources harder to access, you increase the likelihood that an unmotivated attacker will move on to the next potential victim. The primary goals of mitigating payment card threats are to understand today’s attacker techniques, and placing controls or countermeasures to thwart their attempts.
One of the easiest attack types to address is credential stuffing. Credential stuffing relies on the practice of users reusing the same passwords across multiple sites. If an attacker can find a password through a published breach, there is a reasonable likelihood that the same user has used that password for another resource. Unfortunately, credential stuffing has turned out to be rather difficult to stop. Users are resistant to creating a unique password for every resource due to the sheer number of passwords they must maintain. Password managers help, but most users (even security professionals) tend to reuse at least some password out of convenience.
Other common attack vectors depend on client-side code injection or sophisticated RAM-scraping techniques. The best mitigation for these attacks is to validate all application code via code analysis and then ensure all data is validated at both the client and server. Further, application code should minimize any sensitive data stored in memory for longer than is required.
Code security analysis products such as Kiuwan can help here. Mitigating payment card threats focuses on understanding current and emerging threats and then modifying application code and infrastructure controls to provide layers of defense.
Responding to payment card incidents
In spite of the best laid plans, some attacks are successful. Sooner or later, the probability is that your organization will encounter a valid security incident. Before this happens, you should prepare for the situation so that you don’t let it take you by surprise. The key to good incident response starts with considering the possibility that your organization will be vulnerable. Once you accept that premise, you’re on your way to managing incidents effectively.
Formal incident-handling consists of several steps. These steps are summarized from a comprehensive description of handling computer security incidents from the Cybersecurity and Infrastructure Security Agency (CISA). CISA publishes a guide on defining a computer security incident response team (CSIRT), which defines the following CSIRT activities:
- Determine the impact, scope, and nature of the event or incident
- Understand the technical cause of the event or incident
- Identify what else may have happened or other potential threats resulting from the event or incident
- Research and recommend solutions and workarounds
- Coordinate and support the implementation of the response strategies with other parts of the enterprise or constituency, including IT groups and specialists, physical security groups, information security officers (ISOs), business managers, executive managers, public relations, human resources and legal counsel
- Disseminate information on current risks, threats, attacks, exploits and corresponding mitigation strategies through alerts, advisories, webpages and other technical publications
- Coordinate and collaborate with external parties such as vendors, ISPs, other security groups and CSIRTs, and law enforcement
- Maintain a repository of incident and vulnerability data and activity related to the constituency that can be used for correlation, trending, and developing lessons learned to improve the security posture and incident management processes of an organization
Implementing the CISA CSIRT guidelines gives any organization the framework to respond to, recover from and, most importantly, learn from security incidents. Taking what you’ve learned and using that knowledge to improve your security controls makes your organization better able to prevent and handle security incidents of any type, including payment card incidents.
If you want to stay ahead of the attackers, implement a formal approach to learn from past attacks, and prepare for those in the future.