The breach totals in our data set have decreased from last year, primarily due to a lack of POS vendor incidents that have led to numerous organizations being compromised with stolen partner credentials.
87 incidents, 61 with confirmed data disclosure
Top 3 patterns
Point of Sale intrusions, Web applications and Crimeware patterns
represent 93% of all data breaches within Accommodation
External (95%), Internal (5%) (breaches)
Financial (100%) (breaches)
Payment (77%), Credentials (25%), Internal (19%) (breaches)
How can we be of service?
The Accommodation industry prides itself on hospitality, and over the years it has been far too hospitable to criminals. Financially motivated actors are bringing home the bacon by compromising the Point of Sale (POS) environments and collecting customers’ payment card data. Table 3 lists the 10 most common combinations of threat action varieties and assets. These are pairings that are found in the same breach, but not necessarily the same event or step in the breach.
As stated above, some of these combinations are indicative of a specific action taken against a specific asset (e.g., RAM Scraping malware infecting a POS terminal). Others show that some actions are conducted earlier or later in event chains that feature a particular asset – you don’t phish a laptop, but you may phish a human and install malware on his/her laptop in the next step. In brief, the game has not changed for this industry. POS Controllers are compromised and malware specifically designed to capture payment card data in memory is installed and extended to connected POS Terminals. While these POS intrusions are often a small business issue, large hotel and restaurant chains can learn from this data and, if they use a franchise business model, disseminate this knowledge to their franchisees.
The RAM scrapers may be the specialty of the house, but malware does not spontaneously appear on systems. When the infection vector is known, it is typically a direct installation after the actors use stolen, guessable, or default credentials to gain access into the POS environment.
- 2019 DBIR
- A couple of tidbits
- Summary of findings
- Results and analysis
- Unbroken Chains
- Incident Classification Patterns and Subsets
- Data breaches: extended version
- Victim demographics and industry analysis
- Accommodation and Food Services
- Educational Services
- Financial and Insurance
- Professional, Technical and Scientific Services
- Public Administration
- Wrap up
- Appendices (PDF)
A cause for optimism?
While attacks against POS environments make up the vast majority of incidents against Accommodation and Food Service organizations, the number has decreased from 307 in last year’s report to 40 in this report. Sounds pretty dope so far, but we do not use number of breaches as a solid indicator of “better” or “worse” as there are not only changes in our contributors, but also changes in the types of events our contributors may focus on year over year. Even with such a drastic change, it isn’t unprecedented. Figure 44 shows the volatility of breach counts of this ilk. POS breaches are often conducted by organized criminal groups looking to breach numerous targets and there have been sprees of hundreds of victims associated with the same hacking group. Back in 2011, default credentials were used with great success, evidenced by over 400 breaches, and recent sprees have been associated with POS vendors suffering breaches leading to subsequent breaches of their customer base.
The absence of a large spree in this year’s data set is reflected in the drop, but (and it seems like there is always a "but") after our window for data closed and during this writing there has already been a publicly disclosed POS vendor breach affecting multiple food service victims.14 So, let this be the first ever sneak peek into the 2020 DBIR – POS attacks are an endangered species.
And speaking of delivering bad news
Accommodation data breach victims are informed of their plight the majority of the time via Common Point of Purchase alerts as shown in Figure 45. In fact, 100 percent of POS intrusions in this industry were discovered via external methods. This is a clear indicator that while there is work to be done on preventative controls around POS compromise, there is equal room for improvement in detecting compromise. Being a realist and understanding that many of these victims are “mom and pop” operations asking for sophisticated file integrity software or DLP is not a feasible plan of action for many of these organizations. Working with POS vendors to ensure that someone knows when the environment is accessed via existing remote access methods is a start. A pragmatic process to inform the business owners that legitimate work is being done by the partner would certainly be another simple step up from the current state of affairs.
Things to consider
The numbers from annual breach totals are influenced by smaller food service businesses caught up in what we have described as POS smash-and-grabs. Whether leveraging default credentials or stolen credentials, organized criminal groups often go after numerous little fish – but not always. Several international hotel chains and restaurants have also been hit. While the initial intrusion method may not have been as easy as scanning the internet and issuing a default password, there are some lessons to be learned. Static authentication is circumvented using valid credentials and what follows is installation of RAM scraping malware and adminware such as psexec or PowerShell to facilitate the spread of malware across multiple terminals in multiple locations.
Cover your assets
The data shows year-over-year that there is a malware problem affecting POS controllers and terminals. Implement anti-malware defenses across these environments and validate (and re–validate) the breadth of implementation and currency of controls. Focus on detective controls as well, the external correlation of fraudulent usage of payment cards should not be the sole means of finding out that malware has been introduced into your POS environment. Restrict remote access to POS servers and balance the business needs of interconnectivity between POS systems among your locations with defending against the potential spread of malware from the initial location compromised.
Sleep with one eye open
Since you can’t build a perfectly secure system, security operations helps monitor for those weird logins in the middle of the night. If you can justify it in your budget, a security operations team is a must. Even if you can’t afford an in-house team, contracting it as a service or requiring it to be a part of your POS or IT contracts will cover you and allow you to benefit from economies of scale.
Chips and Dip
When a chip-enabled card is dipped in a properly configured EMV-enabled POS terminal, the static, reusable magnetic strip information (PAN) is not exposed or stored. This is a good thing and along with contactless payment methods, disrupts the old way of stealing things for the bad guys. The attacks against EMV technology are more theoretical and/or not conducive to real-world use. We know that cyber-criminals are a crafty bunch and nothing is bulletproof, but continue to embrace and implement new technologies that raise the bar to protect against payment card fraud.