Extended Retail Solutions Article: Fighting spyware and retail identity theft

The starting point for fighting identity theft is to identify the most common way confidential customer information may be stolen electronically. The following real-world cases indicate that identity theft today is often linked to spyware, a form of malicious software that spies on computers and steals sensitive data. Spyware programs include Trojan horses, keyloggers, backdoors, password tools, and hacker tools, all of which are designed to gain access to private information.

International Identity Theft Ring (August 2005)
An international identity theft ring that uses spyware to steal confidential personal information was unearthed in August. Credit card details, Social Security numbers, usernames, passwords, and other private information for an estimated 27,000 customers from various businesses were found. The criminal group captured this sensitive personal data through web-based Trojan horses that contained keylogger and backdoor spy programs. A computer user who visited the spyware-hosting website, perhaps as a result of a browser redirect or phishing email, would be attacked with an automatic drive-by download that installed Trojan horse and backdoor spyware.

CardSystems Solutions (June 2005)
In June 2005, it was disclosed that data for more than 40 million credit cards from Visa, MasterCard, American Express, Discover, and others were stolen from CardSystems Solutions, a third-party processor of payment card data. Cybercriminals exploited software vulnerabilities in CardSystems’ network to install spyware that secretly captured consumers’ credit card information. CardSystems’ business faced collapse as credit card companies cut their ties with the company.

DSW Shoe Warehouse (April 2005)
DSW Shoe Warehouse revealed in April 2005 that thieves stole information for 1.4 million credit cards and 96,000 drivers’ licenses and checking accounts from its computer database. Among the victims was Deborah Platt Majoras, the chairman of the FTC. The FTC now holds retailers accountable for maintaining the privacy of customer information. Regarding another case of identity theft at BJ’s Wholesale Club, Majoras stated, "Consumers must have the confidence that companies that possess their confidential information will handle it with due care and appropriately provide for its security. This case demonstrates our intention to challenge companies that fail to protect adequately consumers’ sensitive information.” So retailers now must deal with not only the financial damage caused by spyware but also government prosecution.

These cases highlight that spyware and identity theft are closely linked. Cybercriminals often use spyware to steal confidential consumer information. Therefore, a key to fighting identity theft is to stop spyware.

Spy programs today mainly attack through web traffic. The example involving the international identity theft ring is one well-publicized case of web-based spyware attacks. No doubt, many other cases exist but are still undiscovered. A September 2005 security research report from InfoWorld singled out the web as the new malware attack vector:

Worms traveling as file attachments have been dominant for the last decade, but reliance on the SMTP [email] protocol is waning. Many of today’s malicious programs take advantage of patched and unpatched exploits in Internet browsers. Unsuspecting clients surf to an infected Web page and their computers are exploited remotely without their even having to physically acknowledge anything. ... The Web is expected to be a growing source for malware attacks over the next decade.

The web is the attack vector of choice for stealthy attacks. More spyware may be expected to travel in web traffic and install on unsuspecting computers in order to steal confidential information. A key requirement from this real-world data is that any defense against identity theft should include protection against web-based spyware.

The credit card industry’s response to identity theft at retail organizations is the Payment Card Industry Data Security Standard (PCI Standard). With a compliance deadline of June 30, 2005, this industry standard sets the minimum requirements for protecting private customer data. It includes: installing a firewall, not using vendor-supplied defaults for system passwords, protecting stored data, encrypting transmission of cardholder data and sensitive information, using and regularly updating anti-virus (AV) software, developing secure systems and applications, restricting access to data, assigning unique IDs to computer users, restricting physical access to cardholder data, tracking and monitoring access to cardholder data, regularly testing security systems, and maintaining a policy that addresses information security.

While comprehensive, it is silent on defending against web-based spyware. Requirement 5, “Use and regularly update anti-virus software or programs” only makes mention of viruses that “enter the network via employees’ email activities.” It makes no mention of protecting web traffic from spy programs. Although the PCI Standard acknowledges in Requirement 1 that “seemingly insignificant paths to and from the Internet can provide unprotected pathways into key systems”, it does not address web traffic as a potentially wide-open vector for malware attack. It leaves the network perimeter open to both good and bad web traffic: “Build a firewall configuration that denies all traffic from ‘untrusted’ networks/hosts, except for: Web protocols - HTTP (port 80) and Secure Sockets Layer (SSL) (typically port 443)”. Even with PCI Standard compliance, retail organizations would remain vulnerable to web-based spyware attacks intended to steal customer data (see figure 1).

A retail organization may deploy a firewall, restrict access to customer data, and use regularly updated email AV software, but it would still be vulnerable. The retailer’s perimeter security would let through web-based spyware, such as a keylogger spy program inserted by a web drive-by-download. The keylogger could then capture password information that unlocked confidential customer data. Therefore, a mission-critical addition to the PCI Standard is gateway protection against web-based spyware.

The internet gateway is the ideal place to stop web-based spyware, but it requires high-performance scanning of real-time web traffic. Gateway anti-spyware is a proactive measure that prevents spyware from entering the network and installing on individual computers (see figure 2). If spy programs can be stripped out of internet traffic at the gateway, before they can install themselves on desktop computers, then the threat of spyware, and retail identity theft, may be substantially reduced.

The core of any gateway anti-spyware defense, as with desktop and email gateway AV, starts with scanning for malicious code. Other technologies such as web-filtering and file-blocking may be useful complements, but the most granular, reliable, and effective way to identify and remove spyware from web traffic is signature-matching.

Gateway scanning for spyware, however, is problematic. It requires an extremely high-performance scanning technology that can handle real-time web traffic for large numbers of computers without turning the gateway into a network bottleneck. If a product cannot deliver real-time performance, then it cannot scan high volumes of web traffic for spyware. If it cannot scan enterprise-class web traffic, then it cannot truly protect against spyware, since web traffic is the main vector of spyware attacks. So in this case, it is no longer a matter of a trade-off between security and performance. An organization must have both. High performance is necessary if there is to be any gateway anti-spyware security.

Besides the requirement of real-time scanning of web traffic for spyware, a gateway anti-spyware product should also comply with the PCI Standard. Some relevant requirements include:

“5. Anti-virus software must be used on all email systems and desktops to protect systems from malicious software.” A gateway anti-spyware product should ideally be an anti-malware product that protects against both spyware and viruses. All known malware should be covered in the signature library. Look for industry certification of 100% detection of malware in the wild. The product should not only protect the web vector, but also the email and FTP vectors (see requirement 1.1.7 regarding risky protocols such as FTP). Note that the email vector includes SMTP, POP3, and IMAP traffic.

“5.2 Ensure that all anti-virus mechanisms are current, actively running, and capable of generating audit logs.” To ensure that all spyware and virus signature patterns are current, a product should automatically update itself at least once each day. The product should also include detailed log data that may be queried easily.

“2.3 Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS for web-based management and other non-console administrative access.” Web administration of a gateway anti-spyware product makes it easier to administer, but such web access should be secure.

Thus, the combination of requirements from real-world data and the PCI Standard ensures that retailers maintain the highest level of data security at the internet gateway. These requirements may be summarized as follows:

A product with this set of features would address not only the identity theft issue, but also retailers’ other major concerns. Gateway protection against worms and viruses would keep these mass-propagating malware programs out of retailers’ networks and therefore maintain network and computer availability. These requirements also reflect government and industry efforts to raise the level of minimum security practices. Such a gateway anti-malware product would ensure customer data privacy, business continuity, and compliance with government and industry regulations.

Founded by former Trend Micro executives who pioneered gateway anti-virus, CP Secure, Inc. is a leading innovator of real-time anti-malware solutions for enterprise-class organizations. The company?s Content Security Gateway anti-malware appliances are powered by patent-pending stream-based scanning technology to proactively protect networks in real-time against spyware, viruses, worms, and other malware in web and email traffic. The products are certified by ICSA to detect all currently active viruses/malware and protect some of the most demanding organizations in the world. CP Secure is based in Cupertino, California, and operates globally.