Avoidable POS breaches reflect security apathy, changing risks: AFP

Neil Gaughan

Retailers have put customers’ sensitive details at risk by failing to upgrade point of sale (POS) terminals that have subsequently been compromised by hackers, a senior Australian Federal Police (AFP) investigator has warned.

Neil Gaughan, assistant commissioner with the AFP’s High Tech Crime Operations unit, told attendees at the Symantec Symposium in Melbourne that a failure to take basic security precautions had compromised customer data in the past and was continuing to do so.

“The biggest threat we see at the moment is compromises of POS terminals,” Gaughan said. “We anticipate that about one percent of [attacks] we see are actually using new exploits. The majority of exploits used to extract information from companies are not new exploits.”

He cited two recent cases – a medium-sized national retailer whose POS system was hacked and “potential fraud in the tens of millions of dollars” instigated, and a Sri Lankan gang that sold compromised systems to retailers on both coasts before quietly revisiting the locations and skimming off credit-card details – in which a disciplined patching regime would have prevented the intrusions.

Gaughan compared information-security theories to those used in physical security, where layers of protection can dissuade would-be attackers that will look elsewhere for softer targets. “If you’ve updated those systems sufficiently you’ve actually mitigated the attack,” he said. “We’ve almost reached saturation in the level of education we can give the customer, and some people still don’t get the message. We probably need a tsunami cyber-event for some people to take this more seriously.”

Although he cited the increasing difficult of forensic examinations due to broader use of strong encryption and challenges with inter-jurisdictional investigations, Gaughan said an even bigger problem was that many Australian companies are still sweeping many criminal incidents under the carpet.

The AFP had recently worked with several financial-services companies that had been extorted by criminals who had threatened to launch denial of service (DoS) attacks against the companies unless they paid a ransom. Many had succumbed – making them targets for repeated extortion and contributing to a climate where online extortion against businesses is not only rife and profitable but rarely reported.

“This is what I see as the new black,” Gaughan explained, “because it’s fundamentally very quick, and it’s a good way for people to make money in a criminal sense. A lot of people aren’t reporting these issues to police because they just hope the DoS attacks will go away. But once you pay, you’re in a cycle of continuing payment.”

Gaughan slammed the lack of a mandatory reporting regime for data breaches, arguing that the culture of suppression was preventing law-enforcement authorities from getting a true picture of the activities of online criminals.

He was also supportive of data retention proposals – a controversial point that is currently under discussion within the parliaments of Australia and elsewhere – and said it was surprising consumers had united against the proposals when they were proving more than happy to allow their personal shopping habits to be collected in minute detail by retail giants.

“We’ve got to get this argument right, because at the moment the left side holds sway,” he said. Yet financial crimes aren’t the only area where Gaughan sees problems: he also cited the growing dangers posed by mobile devices, noting that it is entirely possible for malware to load itself onto a smartphone, then surreptitiously record conversations and ambient sounds, and collect personal data.

“The implications are broader than just criminal activity, particularly in relation to espionage,” he said. “What we can do with a mobile phone now, compared with what we can do in the majority of the real world, is actually quite frightening.

“[Extortion via DoS] is what I see as the new black because it’s fundamentally very quick, and it’s a good way for people to make money in a criminal sense.”

Follow @CSO_Australia and sign up to the CSO Australia newsletter.


Copyright © 2012 IDG Communications, Inc.

The 10 most powerful cybersecurity companies