Lessons learned from UPS Store breach
By Antone Gonsalves, CSO | August 22nd, 2014
The security breach discovered at a few dozen franchises of the UPS Store, a subsidiary of United Parcel Service, provides a number of lessons for other retailers.
The UPS Store reported Wednesday that malicious software was found within the in-store cash register systems of 51 franchises in 24 states, or about 1 percent of the 4,470 U.S. stores.
The compromise exposed customer names, postal and email addresses and payment card information. How many people were affected was not disclosed.
Malware infections on so-called point-of-sale systems were also discovered in a string of breaches reported by other major retailers, including Michaels, Neiman Marcus, P.F. Chang’s, Sally Beauty, Target and, more recently, the Albertsons and Supervalu supermarket chains.
In all the computer break-ins, the hackers scanned the networks for tools that let employees and vendors access systems remotely. Once the tools were found, the criminals focused on finding vulnerabilities or stealing credentials to let themselves in.
Once, a system was breached, the hackers traveled through the network to the electronic cash register system, where malware was planted to capture credit-card data.
Because credit-card data often remains in plain text until it arrives at the payment processor, an obvious precaution is to encrypt the information as soon as the card is swiped and leave the decryption key with the processor, experts say.
Such a system would be expensive to install, since it would involve replacing card readers and upgrading software within the POS systems. Nevertheless, with hackers exploiting the weakness, the cost is likely less than that of a breach.
Target, which reported its security breach late last year, says costs associated with the POS system compromise has reached $148 million.
The UPS Store started searching for the malware shortly after receiving around July 31 a U.S. government warning that hackers were scanning retailers’ networks for remote access tools.
Security experts praised the UPS Store for its quick response.
“This probably stopped it (the infection) from getting much worse,” Chris Wysopal, chief technology officer for Veracode, said.
Because hackers are looking for network credentials, retailers need to make a list of the employees and vendors with remote access and restrict their privileges to those resources that are absolutely necessary.
Also, passwords should be changed at least every six months and when vendors are dropped or employees leave, their credentials should be revoked immediately.
After the malware was found, the UPS Store hired an IT security firm and found the malware, which was removed from systems Aug. 11.
The malicious code had been in the store systems for as long as seven months before it was removed.
Technology called endpoint anomaly detection might have found the malware sooner. Such technology establishes a baseline of normal activity and then alerts if there is a deviation.
A protective technology recommended for POS systems is white-listing software that blocks any unknown code from executing.
“Whitelisting works really well in environments where the software that should be running is very restrictive, such as a point-of-sale terminals,” Wysopal said.
Businesses like the UPS Store should enforce a standard security policy across franchises, Ehsan Foroughi, director of research for Security Compass, said.
Requirements could include an approved POS system, regular installation of updates and patches, regular password changes, controls for limiting employee and vendor access and regular security training for franchise owners, managers and POS workers.
“A lot of these breaches are because of people who just don’t know the risks,” Foroughi said.