Guest Analysis: Successful Hacker Tricks in 2014

Todd Hovorka, CISSP, QSA, PFI, ACE  

July 11, 2014 – While it is true that hackers continually develop more sophisticated methods of attack, ironically, businesses continue to be breached by overlooking the simplest and most obvious of vulnerabilities. The following are 3 common methods of attack utilized with great success against businesses in 2014, and how to avoid becoming one of the unfortunate victims.

Improperly configured remote access applications are (still!) easily compromised

In many cases, business owners or other authorized personnel need access to store, satellite, or corporate office systems while they are not physically present. This can be accomplished by utilizing any number of low cost remote access applications.

Inherent with such applications is the tendency to “just get it up and running” and worry about security later. This is serious mistake.

If a remote access application is not immediately secured upon installation, attackers have the opportunity to bypass firewalls and gain direct access to sensitive data on the affected network. Even if security measures are implemented a day or two later, attackers may have already installed malware to exfiltrate sensitive data even after the remote access application is secured.

Most remote access applications are configured with only single-factor authentication of a username/password combination which, regardless of the complexity, is insufficient to adequately protect sensitive data.

To eliminate this vulnerability, PCI requirement 8.3 states you must implement two-factor authentication for all remote access. Two-factor authentication is an extra layer of security that requires two distinct methods of authentication. If the first factor is a username/password combination, the second factor must be something other than another username/password combination, such as something you have (a token or a certificate) or something you are (a finger print or retinal scan).

Phishing emails (still!) work

According to CyberSafe Canada, 156 million phishing emails are sent out each day. 16 million make it past firewalls and filters, and 8 million are opened. 800,000 embedded links are opened, and 80,000 fall for this scam and share sensitive info. And that’s per day.

Why do people still fall for phishing scams? The emails sent today are quite a bit more sophisticated than the ones sent three years ago. Attackers continue sending emails that look like they originated from a legitimate and well-known company, but have gotten better at mimicking that company’s branding.

As part of PCI requirement 12.6.1, personnel should be annually trained via a security awareness program. Employees should be trained to examine emails for grammar errors, domain emails that don’t match the company ([email protected] vs. [email protected]), unsolicited attachments, and links that don’t match URLs.

Third party payment page vendors (still!) don’t scan for vulnerabilities

Do you outsource your payments page? If hackers manage to find vulnerabilities in that redirection process, they might manipulate that redirection code to their advantage by directing your customers to a fake payments page that looks identical to the one you had originally outsourced. In this way, they can capture customer credit card information with low risk of detection.

As of PCI 3.0, web redirection systems are now in scope for PCI DSS. The best way to stop this trend is to ensure both your website and your third party are executing regular scans that search for vulnerabilities.

[divide] [spacer height=3] Todd Hovorka is a Forensic Analyst at SecurityMetrics. SecurityMetrics protects electronic commerce and payments leaders, global acquirers, and their retail customers from security breaches and data theft. Learn more about SecurityMetrics at securitymetrics.com.

The views expressed in the posts and comments of this blog do not necessarily reflect those of ETA.