Following the news that Chipotle Mexican Grill’s payment processing system have reportedly been hacked, IT security specialists from Tripwire, AlienVault, McAfee and Balabit commented below.
Tim Erlin, VP at Tripwire:
“While we may have become numb to these breaches, criminals continue to target point of sale terminals. As long as compromised credit card data continues to be a valuable commodity on the black market, any company collecting or processing valid credit card information will continue to be a high value target. Organizations from fast food chains to clothing stores should pay attention to the lessons learned, not just from how criminals are getting in, but also from how compromised companies are handling the incident response to such events.
The best advice for companies running point of sale systems is to isolate and lock down the devices as much as possible. Point of sale terminals are typically low change environment. Implementing security configurations and closely monitoring for any change can both prevent and detect any potential attacks. These systems should talk to predictable destinations both internally on the network as well as externally on the Internet. Carefully monitoring communications for anomalies can help identify successful attacks.”
Javvad Malik, Security Advocate at AlienVault:
“The attack against the payment systems highlights that even with PCI DSS controls in place to segment and protect payment networks, companies need to remain vigilant against attacks and have broad monitoring and threat detection capabilities in place that can alert to an attack in a timely manner so that the appropriate response may be taken.”
Raj Samani, Chief Scientist at McAfee:
“The news that Chipotle’s payment system has been hacked is a further reminder that all types of businesses where transactions are made, are a potential target for increasingly clever cyber criminals. Whilst it is still unclear how many customers and restaurants were hacked, it is imperative that businesses need to take control of their cyber security and introduce efficient security measures long before these hacks actually happen.
“Many customers across the US, Canada and UK will be left wondering today if they have been caught up in this hack and whether or not they have purchased a very expensive burrito. Until Chipotle release additional information, customers will be unsure whether they have been targeted and if their data of money is the hands of criminals. Businesses cannot afford to dismiss cyber security as a problem solely for the IT department. The financial future of a business – or that of its customers – can hinge upon the security of in-store payment methods.”
Sándor Bálint, Security Lead for Applied Data Science at Balabit:
“This incident is a reminder of the fundamental problem about credit card payments – that they’re the source of a host of security issues and very difficult and costly to secure. The problem is that a sequence of characters – the card number – is used as an identifier, but this same sequence (when combined with the expiration date and the card security number) is sufficient to make financial transactions on behalf of the cardholder, therefore the ‘known’ number is also treated as a secret.
“Interestingly, while issuing banks expect cardholders to keep the number a secret, by definition they must share it as an identifier with a number of people and organizations (many of whom they’ll never meet) in order to make card transactions. Once shared as an identifier, the card number passes through many hands in the payment system, and the chain is only as strong as its weakest link. Much of the burden of trying to protect this “confidential identifier that’s also meant for sharing” is pushed to merchants and payment service providers, who are challenged with dealing with this fundamental architectural flaw.
“Anyone who has ever read through the Payment Card Industry Data Security Standard (or PCI DSS), the security requirements for merchants and payment processors that’s used by all major card brands, knows that compliance with all of the requirements is a tall and costly order.
“It’s been said that when it comes to protecting credit card information, cardholder data should be treated like nuclear waste, and the goal should be to minimize the number of people in an organization that ‘glow in the dark.’ In other words, processing, storing and handling this data should be kept to the absolute minimum (perhaps to the point of considering outsourcing it entirely), and the number of people who have access to this data should be as low as possible. This way, the scope of the people and systems dealing with this data (defined as the CDE, or cardholder data environment) can be minimized, greatly reducing the costs of compliance with the PCI DSS.
“Even with the best intentions, and with robust controls in place, breaches may not be entirely preventable. And here, another security principle comes into play: usually preventive controls are best, but a combination of detective and corrective controls should be employed. That’s why the PCI DSS has an entire chapter of requirements devoted to monitoring and testing.
“When it comes to monitoring, the effectiveness of the control depends on the coverage and depth of information gathered, the type of analysis that takes place, and the corrective processes that are triggered – ideally automatically – to respond to detected irregularities. For detective and corrective actions, time is a crucial factor: how long does it take from incident to detection, and from detection to relevant corrective action? If we can’t prevent something but we react almost immediately when it happens, we can greatly reduce any damage that can be done. Therefore, shortening that interval between detection and response should be the goal – the right tools for data collection and analysis can offer dramatic improvements and increased security.”