Newly discovered credit card data breaches point out the need to defend against hackers, who have flooded the dark web with personal information and opened the door to more ransomware attacks.
Brian Krebs in his KrebsOnSecurity blog reported about a Missouri-based B&B Theatres, the seventh largest theater chain in the U.S., hit with a two-year credit card breach; and Avanti Markets, which provides self-service payment kiosks that sit beside snack machines, whose internal networks suffered a malware intrusion.
Based in Gladstone, Missouri, B&B Theatres operates roughly 400 screens across 50 locations in seven states, including Arkansas, Arizona, Florida, Kansas, Missouri, Mississippi, Nebraska, Oklahoma and Texas.
B&B Theatres said in a statement. it became made aware of a potential breach by a local banking partner in one of its communities. “We immediately engaged Trustwave, a third-party security firm recommended to B&B by partners at major credit card brands, to work with our internal IT resources to contain the breach and mitigate any further potential penetration.” B&B explained while some malware dated back to 2015, Trustwave did not conclude that customer data was at risk on all B&B systems for the entirety of the breach.
In June, sources at two separate U.S.-based financial institutions reached out to KrebsOnSecurity about alerts they had received from the credit card associations regarding lists of compromised card numbers from a recent breach,” Krebs pointed out. He added, card companies generally do not reveal specific merchants breached, leaving credit unions and banks to work from lists of compromised cards to a so-called “common point-of-purchase.”
The breach at Tukwila, Wash.-based Avanti Markets, not only might jeopardize credit card accounts but biometric data as well. Some 1.6 million customers use the Avanti’s company breakroom self-checkout devices, which allow customers to pay for drinks, snacks and other food items with a credit card, fingerprint scan or cash.
“On July 4, 2017, we discovered a sophisticated malware attack which affected kiosks at some Avanti Markets,” the company said in a statement. “Based on our investigation thus far, and although we have not yet confirmed the root cause of the intrusion, it appears the attackers utilized the malware to gain unauthorized access to customer personal information from some kiosks.”
Cybersecurity experts maintain, credit card machines and point-of-sale devices are preferred targets of hackers, because the data pinched is very easy to monetize.
“With this influx of credit card breaches, hackers are dedicating a lot of time for small profits on the dark web,” John Christly, global CISO, Netsurion, a provider of managed security services for multi-location businesses, and EventTracker, its SIEM subsidiary, said.
Christy added researchers estimate U.S.-based credit card information is worth $5-$30 depending on the data. “Why so little? It’s basically supply-and-demand fundamentals.” Stolen credit card data now floods the dark web, therefore driving the price down.
So, what’s next? “We believe it’s the potentially devastating threat of POS ransomware. If retailers don’t protect themselves properly, this isn’t much of a stretch. Rather than gain access to a chain’s POS to exfiltrate credit cards over months (or even years), cybercriminals could deploy ransomware that shuts down the POS systems… effectively bringing the business and all revenue to a screeching halt,” Christy warned. “This would likely prompt stores to pay the ransom right away, allowing the threat actors to profit within minutes. And with the impressive success of the global WannaCry and Petya outbreaks, cybercriminals are taking notice of what works.”
What can retailers do better to prevent these attacks? Christy suggested:
- Deploying a managed firewall
- Providing file integrity monitoring; and security information, event management, managed detection and response capabilities, and endpoint security solutions, which brings advanced threat detection and response specifically to the POS systems.
- Unifying threat management appliances such as firewall, gateway antivirus, and intrusion detection.
“Merchants should also remember that being PCI compliant may not be (and is usually not) the same thing as being secure,” Christy said.
