Hackers Target Little Guys

A retail magazine by NetWorld Alliance reports that research from global payment security consultancy Trustwave is showing some surprising results about the most common methods and targets of recent breach incidents by hackers.

Trustwave’s data was presented at the 2008 MICROS Users Conference this week in Maryland.

Mark Shelhart, manager of operations engineering for Trustwave, said his company has collected hard data from 400 recent cardholder-data compromises, and analyzed them to find the latest attack trends and techniques.

Among Trustwave’s findings, as reported by the NetWorld publication:

  • The vast majority of all hacker incidents (9 out of 10) were aimed at small merchants. Shelhart said this is a big change from just a few years ago, when big merchants were the primary target. Now that larger entities are paying closer attention to payment security, attackers are moving to easier targets. "Hackers are picking on the small guys," he said.
  • Despite the emphasis often placed on payment security in the online channel, 69% of the attacks were card-present. "The attack today is in your space," Shelhart said.
  • Most of the attacks (52%) were in foodservice, with retail a distant second (27%). Shelhart said many attackers will aim for the low-hanging fruit, and foodservice IT often "doesn’t get the TLC that it needs."
  • The most commonly attacked target (67%) is POS software, with online shopping far behind (25%). In a test conducted with Visa last year, Trustwave spent four hours doing a basic Internet scan, looking for ripe targets. Within four hours, the test identified the IP addresses of 1,600 POS systems — easily spotted due to improperly configured firewalls or other critical issues.

    About 63% of the time, a third party is to blame for holes in the system – a POS developer, an integrator or a local IT firm.

    Shelhart said many local IT integrators will use the same passwords for all of their clients that run a particular piece of software.

    "So the attacker knows, ‘If I can get into one of them, I can get into all of them,’" he said. "It’s a cookie-cutter approach."

    One of the requirements of the PCI data standard is that merchants must not improperly store detailed card data — "track data," the magnetically encoded information that could be used to make any number of duplicate cards if it fell in the wrong hands.

    About 95% of brick-and-mortar merchants surveyed are running non-compliant software and are storing track data, according to the study’s findings, as reported by the NetWorld publication.

    The study listed the top 10 methods of card data compromise:

  • SQL injection
  • Backdoor/trojan
  • Remote access issues
  • Perimeter security issues
  • Weak passwords
  • Remote exploit
  • Keystroke loggers
  • Internal attacks
  • Physical security issues
  • Wireless
  • css.php