Eddie Bauer the Latest Victim of POS Malware Attack

what-is-malware-as-a-serviceOutdoor clothing company Eddie Bauer has become the latest victim of a large scale Point of Sale malware attack, leading to the compromise of customer card data over the first six months of this year.

The firm claimed in a press release late yesterday that it is currently notifying an unspecified number of customers about the attack, which took place between 2 January and 17 July this year.

Interestingly, the company said that this POS malware campaign was part of a “sophisticated attack” encompassing a range of hotels, restaurants and retailers.

It emerged this week that a major breach had occurred at Hyatt, Marriott, Starwood and Intercontinental hotels between March and June 2016.

“We have been working closely with the FBI, cybersecurity experts, and payment card organizations, and want to assure our customers that we have fully identified and contained the incident and that no customers will be responsible for any fraudulent charges to their accounts,” said Eddie Bauer CEO, Mike Egeck.

Continue reading

PA Data Security Standard v3.2 Realesed.

pci-complianceThe Payment Application Data Security Standard which is used by payment application vendors to ensure security of payment card data has been upgraded by the PCI Security Standards Council (PCI SSC) to version 3.2.

PA-DSS v3.2 comes on the same line with the recently released PCI DSS Version 3.2. Both standards are meant to address growing threats to customer payment information. Updates to these standards are based on feedback from the PCI Council’s more than 700 global participating organisations, as well as data breach report findings and changes in payment acceptance, Helpnetsecurity noted.

Cryptomathic Joins PCI Security Standards Council

pci-complianceThe PCI Security Standards Council has added Cryptomathic as a participating organization, indicating an enhanced focus on pioneering better methods of key management and encryption for payments.

Endorsed by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc., the PCI Security Standards require merchants and service providers that store, process or transmit customer payment card data to adhere to information security controls and processes that ensure data protection—not just once a year, but as part of a business-as-usual security posture.

To enhance payment data security globally while embracing new technologies as they are developed, the Council relies on the involvement of those across the payments processing chain, from merchants and service providers to payment device manufacturers and software developers, financial institutions and processors. Continue reading

PCI DSS 3.2 Expected as Soon as March

pci-complianceThe next version of card data security standard PCI DSS could land as soon as next month, replacing the expected November release as the only update in 2016, according to the PCI Security Standards Council (SSC).

The council’s CTO, Troy Leach, explained that the standard is moving towards a system of smaller, more incremental modifications to address things like the EMV roll-out in the US, rather than larger, wholesale updates.

“When making changes to the standard, in addition to market feedback, we look closely at the threat landscape, and specifically what we are seeing in breach forensics reports as the trending attacks causing compromises,” he argued.

“With this in mind, for 3.2 we are evaluating additional multi-factor authentication for administrators within a Cardholder Data Environment (CDE); incorporating some of the Designated Entities Supplemental Validation (DESV) criteria for service providers; clarifying masking criteria for primary account numbers (PAN) when displayed; and including the updated migration dates for SSL/early TLS that were published in December 2015.”

Leach was at pains to point out that any updates will still be succeeded by a sunrise period prior to them taking effect in order to let complying organizations complete their assessments and validate the new requirements.

Changes to PA-DSS are also planned and will be published in the month following the release of PCI DSS 3.2, he added.

“It is a healthy practice for any company to regularly evaluate how it accepts payments and whether it can reduce the risk to its customers and its organization by changing business practices for cardholder data exposure; evaluating newer payment technology like tokenization and encryption; and confirming its third party service providers understand the importance of the upcoming changes as well,” Leach concluded.

“The revision of PCI DSS is as good a time as any to re-evaluate how to minimize effort while improving security posture.”

The PCI SSC has released guidance for firms looking to address migration from SSL/early TLS here.

SOURCE: Phil Muncaster | Infosecurity Magazine

Common payment processing protocols found to be full of flaws

Credit card users could have their PINs stolen, and merchants could have their bank accounts pillaged, in a set of attacks demonstrated by researchers Karsten Nohl and Fabian Bräunlein at the Chaos Computing Club security conference.

Much research has been done into the chips found on credit cards and the readers and number pads used with these cards, but Nohl decided to take a different approach, looking instead at the communications protocols used by those card readers. There are two that are significant; the first, ZVT, is used between point of sale systems and the card readers. The second, Poseidon, is used between the card reader and the merchant’s bank. Nohl found that both had important flaws.

The ZVT protocol was originally designed for serial port connections, but nowadays is used over Ethernet, both wired and wireless. The protocol has no authentication, meaning that if an attacker can put themselves on the same network, they can act as a man-in-the-middle between the point-of-sale system and the card reader. The attacker can then read the magnetic stripe data from the card, and can also request a PIN.

This could then be used to harvest card details at a retailer. Each time the PoS system asks the card reader to perform a PIN-authenticated transaction, the card reader can intercept the request, and replace it with a request for the mag stripe, and then a request for the PIN. With this data harvested, the attacker can easily create cloned cards. To avoid raising suspicion, the attacker’s man-in-the-middle can then direct the card reader to perform an unauthenticated PIN-less transaction using the magstripe data, leaving both cardholder and retailer unaware that anything has gone wrong. Continue reading

My Digital Shield To Partner With PCI Security Standards Council To Improve Payment Data Security Worldwide

As Council’s newest Participating Organization, My Digital Shield will play a contributing role in the development of PCI security standards

My Digital Shield (MDS), a leading provider of Security-as-a-Service (SECaaS) for small businesses, announced recently that it has joined the PCI Security Standards Council as a newParticipating Organization. My Digital Shield will work with the Council to achieve and improve payment data security worldwide through the ongoing development of the PCI Security Standards, including the Payment Card Industry Data Security Standard (PCI DSS), PIN Transaction Security (PTS) requirements and the Payment Application Data Security Standard (PA-DSS).

Endorsed by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc., the PCI Security Standards require merchants and service providers that store, process or transmit customer payment card data to adhere to information security controls and processes that ensure data protection – not just once a year, but as part of a business-as-usual security posture. To enhance payment data security globally while embracing new technologies as they are developed, the Council relies on involvement of those across the payments processing chain, from merchants and service providers to payment device manufacturers and software developers, financial institutions and processors.

Continue reading

Consumers Confused By Chip-and-PIN Cards

Consumers lack knowledge and education about the chip-and-PIN cards they have been receiving from card issuers, new research shows.

According to a survey from CA Technologies, more than half of US adults have been issued a credit/debit card with a chip (59%).

Yet, only two in five (41%) said that they know what the benefits of having a chip card are, and even fewer (37%) say their card issuer provided information or education on how to use it.

Further demonstrating the lack of knowledge and education, more than three quarters of the credit/debit card owners who have received a chip card said they believe it will better protect them from fraud during an online purchase (77%). Continue reading