What’s Old is New Again—Insecure Remote Access


When a merchant is suspected of being the victim of an account data compromise event, they are often required by the card brands to hire a Payment Card Industry Forensic Investigator (PFI). The PFI provides a report on the investigation to the card brands, and if the investigation found evidence of a breach, the report explains how the attack was carried out. The card brands likely receive several hundred PFI reports each year, and they occasionally issue security alerts when they see an emerging threat pattern in PFI reports. Visa, which issued three alerts in the past year alone regarding memory scraping malware used against retailers, has only issued nine alerts since 2011 (Visa Security Alerts/Bulletins). So, it is advisable that merchants pay attention to these alerts.

Unfortunately, many threat trends are not based on the exploitation of new vulnerabilities. In a 2011 Security Alert, Visa stated that “[i]nsecure remote access continues to be the most frequent attack method used by intruders to gain access to a merchant’s point-of-sale (POS) environment.” MasterCard warned of recent attack trends in 2012 showing that hackers were focusing on smaller merchants with improperly configured remote access systems.

Visa just issued a July 2014 Security Alert titled “Insecure Remote Access and User Credential Management,” which reported Visa’s observation of an increase in malicious remote access activity associated with unauthorized access to merchant Point-of-Sale (POS) environments and ultimately, payment card data. The Security Alert mentioned several of the remote access solutions that are often used by service providers to provide remote management and support for retailers, including LogMeIn and PCAnywhere. Visa notes that circumstances around multiple merchant compromises in the last several months suggest an actor or group of actors are targeting merchants who share common POS integrators or remote support vendors. Finally, the Security Alert identifies the following security practices to help mitigate security risks:

• Ensure proper firewalls rules are in place, only allowing remote access only from known IP addresses.

• If remote connectivity is required, enable it only when needed.

• Contact your support provider or POS vendor and verify that a unique username and password exists for each of your remote management applications.

• Use the latest version of remote management applications and ensure that the latest security patches are applied prior to deployment.

• Plan to migrate away from outdated or unsupported operating systems like Windows XP.

• Enable logging in remote management applications.

• Do not use default or easily-guessed passwords.

• Restrict access to only the service provider and only for established time periods.

• Only use remote access applications that offer strong security controls.

• Always use two-factor authentication for remote access. Two factor authentication can be something you have (a device) as well as something you know (a password).

Merchants should keep in mind that, not only are they are responsible for ensuring that their service providers protect cardholder data in compliance with PCI DSS, they are also responsible for the consequences if their service provider fails to do so (e.g. complying with state breach notification laws and paying fines, fees, and assessments of liability by card brands for operating expense reimbursement and incremental counterfeit fraud). It may be a good decision for a merchant to “outsource” their payment processing to a service provider, but simply having a third party do the processing does not “outsource” a merchant’s liability. Rather, merchants need to include appropriate provisions in the contract with their service provider to impose obligations for securing the payment card data and providing indemnification if they fail to do so.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© BakerHostetler | Attorney Advertising

Written by:


BakerHostetler on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.