Hyatt is the latest to hit the ever-accelerating cycle of high-profile data breaches. Krebs on Security reported that the hotel chain completed an investigation after malware was discovered on machines that support Hyatt's payment processing systems. Hyatt revealed that payment card data was compromised at over 250 hotels in 50 countries over a period of four months.
This is just one of many hotel chain data breaches in the past year. Hilton Worldwide, Starwood Hotels and Resorts, Trump Hotel Collection, Mandarin Oriental Hotel Group and Marriott's White Lodging Services have all experienced incidents in which sensitive data may have been compromised due to malware in 2015 alone.
Malware attacks have become just another daily occurrence. These threats at the point of sale are some of the biggest challenges facing merchants today. As many as 177,866,236 personal records were leaked during 2015, according to the ID Theft Center.
"Following best practices can make malware more trouble than it's worth for criminals."
What can merchants do to mitigate the threat of POS malware?
In today's security climate, a completely secure defense against malware is infeasible, if not outright impossible. No software is truly invulnerable, but following a few best practices can help make the expense of breaking into a system and installing malware more trouble than it's worth for criminals. If the cost of stealing customer data exceeds its rewards, then it won't make sense to intrude in the first place.
Stay away from defaults
One of the most common intrusion methods is also one of the most embarrassing. Many merchants neglect to change the default passwords on POS terminals, making them trivial to access, according to Charles Henderson, vice president of managed security testing at Trustwave, as reported by BankInfoSecurity.
But in order to access those POS systems to install that malware, an attacker first has to get onto the network itself. Though this can sometimes be done by physically tampering with the device or the servers it's connected to, the more likely culprits are remote desktop tools that allow users to access platforms across the Internet.
Systems that connect to the Internet or other insecure networks need to be very carefully monitored, since malware will typically take the path of least resistance. If cybersecurity is the digital equivalent of an immune system, then Internet-connected software is the mouth – a big, open hole through which disease can enter. That's why network segmentation is so important.
Segmentation is power
Properly managing access to data is crucial for ensuring that malware can't reach sensitive information. In the hyper-connected world, every endpoint can be the source of an attack. Segregating systems from each other – especially those that handle cardholder data – safeguards a network from compromise that can lead to a breach of every connected device.
It's important that employees don't have access to sensitive information at all. Human error is what leads to the majority of data breaches, according to CompTIA, either through social engineering, poor configuration or even issues as simple as unlocked workstations and lost devices. It's impossible to prevent people from causing security failures, so they shouldn't have access to that data in the first place. By using tokens, the threat of losing data is contained.
For ensuring proper network segmentation, Visa recommended completely separating the cardholder data environment from the rest of the network, as well as requiring two-step authentication for access to the CDE. Additionally, the source said that networks should adhere to "the principle of least privilege," a strategy in which users and systems only have the most minimal access to only the data needed to do their jobs correctly.
Stay safe with tokenization
Sensitive data should be tokenized and then isolated from the rest of the IT environment to make sure that it stays safe even if an attacker can gain access to a network. The walls of a fortress can be fifty meters high and five meters thick, but that means nothing if the front door is left open. Using tokenization means that IT systems can use and work with the signifiers of that data without having to touch the actual sensitive parts.
Keeping payment processing networks free of malware is a big task, but it isn't impossible. It requires both a technical investment and a cultural shift in how data is protected, with the knowledge that no one system is safe from malfeasance. In today's cyber-insecure environment, it's important that merchants take network security seriously.