ISA is committed to keeping the security community up to date with the latest cybersecurity news.
PCI Security Standards Council updates payment card standards
If your business accepts or processes payment cards, a recent change to PCI data security standards may affect you. The PCI Security Standards Council (PCI SSC) has released a major new standard for securing PIN devices. Released in June, Version 6.0 of the security framework replaces version 5.1 which had been in place since March 2018. The new requirements apply to all PIN entry devices (whether online or offline) and secure card readers used by retailers around the world.
The primary goal of the new standard is to provide greater protection to PINs and the cardholder data stored on the magnetic strip or embedded chip, thereby reducing the chance of fraud at the point of sale or beyond. The new standard also features changes to software requirements, encryption levels, and device validation periods that will also help to prevent device tampering and mitigate the risk of malware designed to steal credit card data during transactions. Improved security and support for transactions used in conjunction with mobile devices is also introduced. In the PCI SSC press release, Emma Sutcliffe, SVP, Standards Officer observed that “[t]he changes to this standard will facilitate design flexibility for payment devices while advancing the standard to help mitigate the evolving threat environment.”
In all, the new standard (official titled “PCI PIN Transaction Security Point-of-Interaction Modular Security Requirements”) introduces some 27 new features and requirements. The changes are detailed in the PCI DSS documentation library.
The timing is good for the new standards – as businesses begin to re-open after the pandemic lockdown, more vendors will be investigating wider use of touchless payment methods to reduce the handling of cash. Devices supporting the new standard are not available yet, as the requirements have just been released, but new pinpads and card readers are expected soon. In fact, support for selected older devices has been extended due to the logistical difficulties brought on by the pandemic. A comprehensive list of supported devices and revised expiry dates is available on the PCI SSC website. Contact your payment processing provider for information on updating or replacing your devices. To reduce the risk to your operations and customers, consider replacing your card readers and POS devices with the latest standard as it becomes available.
Record DDoS attacks reported during the COVID-19 pandemic
On June 21, content-delivery network (CDN) company Akamai reported its largest-ever distributed denial of service (DDoS) attack. According to their blog posting, an attack against a large European bank generated 809 million packets per second over the course of a ten minute assault. This incident came on the heels of a massive assault against one of Akamai’s internet hosting provider clients earlier in June. The IHP attack featured the highest volume of data ever recorded in attack against Akamai, at 1.44 terabytes per second (Tbps) over the course of a two-hour span. This attack was geographically distributed and used up to nine different methods of attack, in contrast to typical DDoS attacks that use three or fewer methods.
Massive attacks appear to be a theme in the COVID-19 era: Amazon Web Services (AWS) reported an all-time industry high-water mark DDoS attack of 2.3 Tbps in February 2020. In a June report, Virginia-based Neustar revealed that they had stopped the highest volume attack in their history, at 1.17 Tbps, on one of their customers earlier this quarter. And Cloudflare recently disclosed a major assault on their networks in February 2020 – a high data volume attack of that peaked at over 550 Gbps.
These record-breaking attacks are just one indicator of the wider use of DDoS across the board. While attacks of this size are still comparatively rare, all service providers are reporting increases in the number, intensity, and duration of attacks during the pandemic, and more recently, during the social unrest in the United States and beyond. “DDOS-as-a-service” and malware tools are widely available on the dark web, so launching DDoS attacks is inexpensive and does not require significant technical expertise or computing resources.
As a review, a DDoS attack attempts to block the use of a website, service, or network by swamping the target or its supporting systems with floods of data. As the sites and servers attempt to handle the onslaught of requests, normal data traffic is delayed or stopped, and unprotected systems can simply crash taking online services out of business. The threat of a DDoS attack can be used to extort money or action from a target company, or activist groups can use DDoS tools to disrupt the operations of adversaries.
Content delivery network services are used to aggregate content and filter undesirable traffic, thereby shielding websites and online services from DDoS attack.
Fake COVID-19 contact-tracing app contains ransomware
The same day that Prime Minister Justin Trudeau announced plans for a countrywide contact-tracing app for mobile devices, hackers developed an Android app that purported to offer contact-tracing, but actually delivered hidden ransomware to target phones or tablets.
The fake app was disguised as an official software release from the government of Canada, approved by Health Canada, and cross-marketed through a series of websites spoofing official government properties. Once downloaded, the app could launch ransomware called CryCryptor which encrypts all of the data files on a compromised device, but leaves a “readme” file with the attacker’s return email address for payment. The fake app and ransomware were reported by security researchers from ESET in Slovakia.
The fake websites were taken offline shortly after the incident was reported to the Canadian Centre for Cyber Security (CCCS). If you have downloaded the application, which was released shortly after the June 18 announcement, delete it from your device immediately. Mobile users are reminded to only download apps from official sources such as Google Play or the Apple App Store.
According to a spokesperson at the CCCS, “[We are] aware of new fraudulent websites that have been impersonating the Government of Canada to deliver fake COVID-19 exposure notification applications, designed to install malware on users’ devices… [Our] efforts have resulted in the removal of a significant number of Canadian-themed fraudulent sites that were designed specifically for malicious cyber activity, such as phishing and malware delivery.”
As of June 30, the actual government-sanctioned contact-tracking app had not been released.