January 27, 2014
Lately it seems every day brings news of a cybersecurity attack in the retail space. How do cyber criminals pull it off? Let’s break down the anatomy of a skimmer attack.
Thieves install electronic software “skimmers” on point of sale (POS) terminals. As customers swipe their credit cards, these skimmers collect the track data— the electronically encoded data on the magnetic strip on the back of a credit card.
The capture of track data enables a cybercriminal to create counterfeit cards. They do so by encoding the track data onto a new card with a magnetic strip. In addition to the track data, thieves can secure information about the store’s location and zip code. This data enables cybercriminals to enhance the value of the stolen card numbers and evade fraud detection techniques based upon card user zip codes.
Some cybercriminals work with insiders. Insiders are unreliable and unmonitored employees, contractors, or vendors with authorized access to the retailer’s POS infrastructure. The insider can use both access and knowledge of the system to install the skimmer, establish the collection and exfiltration process and software, and either disable, circumvent, or otherwise remain under the visibility of security controls.
If the thief is an outsider without authorized access, it is likely that the external actor would have undertaken the following in a coordinated, sequenced manner:
- Initial intrusion: Gain access to infrastructure by finding and then exploiting vulnerability in a system or device that was connected to the Internet, or take advantage of a human error that led to a system configured in an insecure manner.
- Reconnaissance: Use access to the infrastructure to probe the environment as a means of both developing and understanding the security controls and identifying applications or business processes to target.
- Attack: Focus on the point of sale terminals, install tools to the appropriate part of the process to enable the attacker to capture and record credit and debit card transactions that were not encrypted.
- Exfiltration: Remove the captured information without detection.
- Avoid Detection: Conduct all these activities without being caught by the security controls within the environment.
It is important to understand that advanced actors take a “low and slow” approach to circumvent sophisticated security monitoring and detection mechanisms and methodically escalate access over days, months, and even years until they reach systems of high value. As such, executives and key business leaders should always be mindful that they may already be in a state of compromise and that threat actors wait patiently for the most opportune time or scenario to extract valuable data assets.