Attack scenario: payment card fraud caused by poor supply-chain security at US petrol stations

This blog is part of a weekly review of scenarios from Verizon’s Data breach digest.

j0405584In this case study, Verizon describes a failure of supply-chain security in which a cyber insurance carrier noticed an unusual pattern of payment card fraud originating from one of its customers – an oil and gas company that operated a number of petrol stations in the US.

Four petrol stations were found to be showing the same fraud pattern, but although systems were openly accessible from the Internet, network and endpoint forensics determined that there was no evidence of an external source of point-of-sale (POS) intrusion. All connections via these systems could be accounted for, and there was no evidence that card skimmers had been used at cash registers or at the pumps. Clearly, something else was happening. But what?

Verizon worked with the police and the oil and gas company to install evidence traps that included keystroke logging, file integrity monitoring with alerting, and playback recording of remote sessions. An alarm was tripped within days.

Verizon found that the vendor contracted for IT and POS support had connected via Remote Desktop over a virtual private network (VPN) to the payment processing server. It checked there were no other active logins, then set the system clock forward by two years and copied cleartext authorisation requests from each fuel pump – including magnetic stripe sequences, which could be used to commit payment card fraud – before setting the clock back to the correct date and time. The next night – a Saturday – another alert was tripped when a similar intrusion occurred. The police were informed, and paid a visit to the vendor’s support centre.

As it was a Saturday night, there was only one car parked at the office – indicating that a particular member of the helpdesk team was responsible. They popped in for a chat with him.

It transpired that this individual deliberately sought late-night weekend shifts when he’d be the only person on call. He would then connect to customer systems and steal cardholder data, mistakenly believing that he’d be less likely to be caught, and that his attempts to cover his tracks by changing the time on the system would cover his tracks. He was wrong.

Supply-chain security

As Vormetric’s Insider Threat Report 2015 rightly pointed out, with more and more external suppliers being granted privileged access to client systems, the insider threat no longer applies to your own staff – your entire supply chain is a potential threat to your security. This is why you need to ensure that your system is secure at all points. If you gather, process or store payment card data, you’ll be obliged to do so by the PCI DSS.

A PCI DSS gap analysis determines an organisation’s current compliance levels and outlines the specific steps needed to achieve full compliance with the Standard. It includes a detailed review of compliance activities, using tools such as on-site interviews with key staff, an assessment of the in-scope system components and configurations, and a physical and logical data flow analysis, in addition to examining out-of-scope components.

IT Governance Ltd is an authorised PCI Qualified Security Assessor (QSA). Our PCI DSS Gap Analysis service provides a detailed review of your current PCI compliance posture and produces a strategic roadmap that can be implemented to achieve full compliance with the Standard.
Click here for more information >>