Until now Forensic investigations that are initiated as a result of a suspected card data compromise have followed a well-defined, reactive, time consuming, resource intensive and costly process. In most instances the merchant at the center of the compromise is ignorant of the fact that they have been breached and that they are sitting on a financial ‘time-bomb’.
In such situations there are no winners other than the fraudsters who are often able to harvest card data at leisure until they decide to ‘cash out’. Having monetised their haul, the victim will almost certainly be notified via their acquiring bank that they are a common point of purchase. (CPP)
The resulting financial fall-out is bad news for all parties involved, indeed it is not unusual to see small organisations put out of business as a result of the fees and fines incurred as a result of a cardholder data breach.
Having worked in this field for the last decade, the Foregenix team are shifting the paradigm to a defensive, proactive model that looks to help merchants (retail, hospitality, e-comm) avoid breaches in the first place. What’s more the same technology can be deployed as part of a forensic investigation to significantly reduce the card compromise exploitation window and the financial impact of the forensic investigation itself.
This two part blog will look at Serengeti and how it significantly benefits both the acquiring bank and their merchant’s customers.
Notification that one of your merchants has been identified as a CPP will general come via one of the card schemes. The affected merchant will be advised of the situation and instructed to engage with one of a relatively small number of PCI Forensic Investigators (PFI’s) who are certified to undertake forensic work in defined geographical areas. The said merchant will be provided with a short list of approved organisations, with whom they will be required to negotiate and contractually engage.
Whilst time is clearly of the essence, the current investigation process is slow. The priority within any such engagement is to firstly contain the breach and then establish which cards could have been breached. This information serves to quantify the extent of the breach and prevent further fraud using the compromised card data.
In parallel, investigators will look to establish the root cause of the breach and make sure that further cards are not compromised. Having quantified and contained the situation further work is undertaken to try and identify the culprits, although this can prove extremely challenging.
From such investigation, the PFI will sometimes identify new tools and techniques that are being used to perpetrate such attacks. The investigation itself, requires a specialist understanding of the card payments industry and is undertaken by experienced consultants, skilled in the art of piecing together the evidence required to establish the cause and effect of a card data compromise.
A meticulous attention to detail and thorough understanding of payment system, networking applications, encryption and malware all contribute to a successful investigation.
Putting aside the fact that it is not uncommon for compromises to go undetected for many months, the investigation is often a protracted challenge to a business. Once we are contractually engaged and a consultant has be scheduled to handle the engagement, the process typically involves:
The crucial part of the process described is the “CONTAINMENT” section, the point at which the victim of the attack stops “bleeding” cardholder data. Prior to this the the potential fraud liabilities/fines will be escalating. With the estimated average fraud cost per card compromised in the region of £650 ($1,000) /compromised card – there is clearly a strong financial incentive to get control of the situation and contain it! Especially in a high transaction volume business.
As one of the world’s leading PFIs Foregenix is shifting the paradigm when it comes to undertaking forensic work for the payments industry. By deploying Serengeti, a solution which has evolved from our own intimidate understanding of the challenges associated with forensic work within the payments industry,
Foregenix is able to significantly reduce the elapsed time between a merchant:
Aside from the reduction in the exploitation window during which card data can be compromised, Serengeti is remotely deployed so saving on the logistical costs associated with on-site data collection, a significant component of such an engagement.
Within minutes of deployment, Serengeti is providing our consultants with telemetry on the health of the systems at the heart of the breach – processes running, configuration settings, outbound communications and many other metrics and reference checks. The compilation of this telemetry enables us to rapidly identify indicators of compromise.
Importantly it facilitates a rapid check for all known and variant versions of malware strains that have been used to steal cardholder data. Indeed it is worth pointing out here that our experience shows that mainstream anti-virus/anti-malware solutions are not picking up malware found at the heart of many of today’s compromises.
See Serengeti neutralising and removing Dexter POS Malware:
Simple variations on existing malware packages render them undetectable by the victim’s existing defence mechanisms (anti-virus/anti-malware).
By using heuristic, behavioral and signature-based real-time analysis, we these identify the malware (known and variants) very quickly. We are very good at it.
Serengeti also serves to protect the Foregenix client community health - applying containment of new Malware strains to all clients.
What’s more this happens very quickly, often within an hour of deployment.
Comparing this with the traditional forensic route, there are a few key differences: