SpiderLabs' Incident Response team has recently seen credit card fraud involving the suspected compromise of a 'drop in' transaction processing devices in the Asia Pacific region. Specifically, we have seen issues with the NetAccess N-1000 Transaction Concentrator, payment processing middleware that is widely deployed across region. Based on what we have seen we have issued the following guidelines for any firm using the device.
Despite its ‘drop in’ nature, the N-1000 uses Windows XP as its underlying operating system. As such, the device needs to be treated with the same security hardening processes that you would use for any other Windows system in your business. The device's flaws highlight the risks of having vendor-deploy equipment in the sensitive and critical parts of your business.
At a minimum we recommend the four basic security practices outlined below. These are the same security controls we would recommend for all devices handling credit card data and we often find the failure of one or more of these controls when investigating fraudulent activity.
1. Restricted Network Access
The N-1000's role sees it placed at the border of a payment processor’s network, handling transactions from devices installed at merchant premises. Typically the device will sit on the public Internet or a semi-public GPRS network. By default the device exposes a number of services, including Windows-specific ones (e.g. 139 and 445) and web service running an administration interface. As a result it is critical that it is placed behind a well-configured firewall.
Deploying any device on the boundary of your network increases your potential 'attack surface'. This problem is further exacerbated by many appliance-type devices not openly advertising what ports and services they expose. Firms can regain some control by ensuring ports are only opened on firewalls 'as needed', and using vulnerability scanning and penetration testing to get an external, independent, view.
2. Timely Application of Patches
Due to the N-1000’s reliance on Windows XP it will suffer from a number of well-documented security flaws if left unpatched. The N-1000 devices we have seen have been installed by third-party vendors and have not been included in the normal patch management processes. This has resulted in devices that can be easily compromised by common hacking tools.
Unpatched systems are a common enough problem in most organisations, even when equipment isn't outside the normal patching process. Once again, regular vulnerability scanning across your internal infrastructure will give you the best chance of picking up devices that may have been left unpatched.
3. Strong Password Practices
Like most IT systems, the N-1000 relies on complex, non-guessable, passwords to protect both its Windows OS accounts and the administration web interface.
Trustwave has investigate many credit card fraud incidents that have ultimately been due to third-party implementers using weak passwords or reusing passwords across numerous clients. It is important for firms to regularly audit both the access and the security of passwords on these systems.
4. Appropriate Logging
Lastly, the N-1000 needs to be configured with comprehensive and secure logging. While the device has the ability to keep both Windows Event and application logs, it stores these logs in volatile memory (RAM). This means they need to be regularly transferred off the device if they are not to be lost at reboot. The N-1000 also receives, and has the ability to log, various pieces of sensitive transaction data, including Card Holder Names, Card Numbers and Track 2 data. Firms using the device should ensure it is not logging this sensitive information, particularly the Track 2 data. Capturing Track 2 data provides everything necessary to 'clone' a credit card and due to this storing it both violates PCI-DSS and provides an appealing target for attackers.
Investigations into security incidents and suspected fraud are often stymied because of a failure to keep adequate logs from key devices. However logging everything is often just as bad as not grabbing enough, particularly when sensitive information like card holder is stored and becomes easily accessible.
To recap, firms need to remain vigilant of the types of security weaknesses that can be introduced by ‘drop in’ appliances, like the NetAccess N-1000. To avoid sensitive customer details being compromised, Trustwave recommends that organisations ensure all devices deployed in a business have basic security controls configured, no matter who did the initial install and configuration. A regular programme of security audits and assessments will help confirm these controls are in place.