RE: “KUHOOK” POINT OF SALE MALWARE

Please read the Visa Security Alert linked here: Visa Security Alert 12 2015

Visa has observed criminal malware aka “Kuhook” designed to steal card holder payment data from point of sale (POS) systems still running the Microsoft Windows XP operating system.  Microsoft retired Windows XP Professional April 2014 and will soon retire Windows XP Embedded January 2016.

Kuhook is some of the most sophisticated and difficult to detect payment card stealing malware Visa has ever seen.

Credit Card Compliance Data Security Standards section 6.2 requires that critical systems be patched and updated to protect against known vulnerabilities, and because this is not possible to do with a retired Microsoft operating system, such as Windows XP,  hackers are taking full advantage and targeting businesses that continue to run these obsolete operating systems.

Here is a link to the PCI Data Security Standards: PCI Data Security Standards 3.0

It’s not worth the risk to roll the dice and hope for the best.  Data breaches continue to be on the rise and are detrimental to businesses that have been identified as a “Common Point of Purchase” of stolen card holder data.

It’s best to comply with the PCI Data Security Standards in regards to keeping critical systems updated. If your business is in a payment environment processing sensitive card holder data and is running a back office computer or touch screen terminal with a retired operating system that cannot be patched or updated to protect against known vulnerabilities, your business is not only failing to meet PCI Data Security Requirements, but is also at serious risk.  Please contact your POS provider as soon as possible and plan a strategy for a successful upgrade path.

Q: How do I know my Business is at Risk?

A: If your business is processing credit cards by swiping cards and/or typing in card numbers on a touch screen computer or back office computer running the Microsoft Windows XP Professional (or older) operating system after April 2014.

A: If your business is processing credit cards by swiping cards and/or typing in card numbers on a touch screen computer or back office computer running the Microsoft Windows XP Embedded (or older) operating system after January 12th 2016.

Please contact your POS provider if you are uncertain which operating systems your payment applications are running on.

RE: INSECURE REMOTE ACCESS AND USER CREDENTIAL MANAGEMENT

Please read the Visa Security Alert linked here: Visa_Security_Alert_070114

Visa has recently observed an increase in malicious remote access activity associated with unauthorized access to merchant Point-of-Sale (POS) environments and ultimately, payment card data.  These attacks are suspected to have occurred as a result of compromised username/login credentials combined with remote management software exposed to the Internet.

The takeaway lesson learned here is not to use “off the self” remote access programs such as LogMeIn, TeamViewer, etc to remote into a payment environment processing credit card transactions.  Intruders are using these programs to gain access to your system.  

Here is a link to a recent article where a restaurant chain was potentially hacked using the LogMeIn account.
http://pciguru.wordpress.com/2014/07/01/the-flaw-in-requirement-8-5-1/

Only use remote access tools that use two-factor authentication.  Here is an example:  When remote accessing your payment processing computer, the first step would be to type in your username & password.  This is the first factor.  The second factor would then be prompted to type in a temporary pin number that is sent to your cell phone via a text message.  This pin number is unique and will expire in a matter of minutes and cannot be used again.  Once you type in the pin number, only then are you in.

Part of Credit Card compliance requires the remote access program to use two-factor authentication.  JCR Systems offers two-factor authentication and includes it with our support plan at no additional cost.  If you are not using our tool, please contact us for assistance.

If you are using a remote access tool such as LogMeIn, TeamViewer, etc, that is not using a second factor to gain access, such as a temporary pin number, this Visa Alert explains the risk for malicious remote access activity.  Please uninstall these programs immediately and contact us for assistance.

In past decades this was the norm, but in recent years they are no longer in the best business practices category because they present a weakness to key loggers and skimmers designed to intercept what is typed in.  If credit cards are swiped through a keyboard wedge emulation card reader, the card holder data encoded on the black magnetic stripe can be sent directly to the key logger or skimmer.  Data Security Breach!  New terminals with built in encrypted card readers are the best way to go to help prevent your customer’s card holder data from being compromised as it’s swiped.

If you are not sure if your card readers are the old keyboard wedge style or not, it’s easy to find out.  Simply plug a keyboard into your terminal and if it’s running a Windows operating system bring up Windows Notepad (or Wordpad or Word).  With the cursor blinking in Notepad type something in using the keyboard and you should see what you are typing in.  Now pull out your credit card and swipe it on the terminal’s card reader.  Upon swiping your card, if you suddenly have a lot of data appearing in notepad, that is your credit card data that is encoded on the black mag stripe on the back of your card.  Time to retire and replace the point of sale terminal with a new generation terminal running an encrypted card reader.

Though these old school card readers are still being manufactured today, best business practices is to use an encrypted card reader, or one with a different interface such as serial that requires special software drivers to properly interface and work with the point of sale software application.

A recent event happened with a retailer’s store in Florida where they found the skimmers the thieves installed on their pos terminals.  You can read the article here Posted October 13th 2013: http://krebsonsecurity.com/2013/10/nordstrom-finds-cash-register-skimmers/

In this Newsletter

• MasterCard Unique Terminal ID Requirement
• Healthcare Requirements Coming in 2015
• P2PE Reduces the Risk of Cardholder Data Breaches
• PCI PA-DSS Status of NCR Aloha Payment Applications
• Is a ZIP Code Considered “Personal Identification Information”?