Card Recon
Like a crowbar, security software tools can be used for good and evil.
Bootleg versions of a powerful tool called "Card Recon"
from Ground Labs, which searches for payment card data stored in the
nooks and crannies of networks, have been appropriated by
cybercriminals.
This month, the security
companies Trend Micro and Arbor Networks published research into
point-of-sale malware, which has been blamed for data breaches at
retailers such as Target and Neiman Marcus, sparking concerns over the
security of consumer data.
Both companies found
that unauthorized copies of Card Recon had been incorporated into a
malware program and a toolkit designed for finding and attacking POS
terminals.
"Card Recon looks to be a useful tool
when wielded by an auditor or security staff, but it is clearly
dangerous in the wrong hands," Arbor Networks wrote in its report.
Card
Recon is intended for organizations seeking to comply with the Payment
Card Industry's Data Security Standard (PCI-DSS), a set of
recommendations to safeguard payment card data.
The
software tool scans all parts of a network to see where payment card
data is stored. Often, companies find card details stashed in unlikely
and unknown places. Card Recon compiles a thorough report, and companies
can then move to secure the data.
The software
requires license authorization before it will run, which prevents direct
illegitimate use, said Stephen Cavey, Ground Labs' co-founder and
director of corporate development, via email. But it's impossible to
restrict access to Card Recon's software executable after a genuine
customer has obtained it.
More than 300 security auditors worldwide and thousands of merchant companies use Card Recon, he said.
"This
is the unfortunate reality for all software vendors: It is common for
criminals to acquire a copy of commercial software via unauthorized
means and then reverse engineer that software to circumvent the
licensing mechanisms that are designed to prevent its unauthorized use,"
Cavey said.
Numaan Huq, a senior threat researcher for Trend Micro, wrote
on Wednesday that a version of Card Recon dating from three years ago
was being used to validate payment card details in a type of POS
malware.
When Card Recon is scanning, it has to
be able to separate 16-digit numbers and other random data it finds from
valid 16-digit credit card numbers. Credit card numbers can be
validated by using a checksum formula called the Luhn algorithm.
The
malware Huq studied used Card Recon to validate and identify cards by
brands such as Discover, Visa and MasterCard. Using Card Recon was
faster than other validation methods, especially for large volumes of
card data, he wrote.
Arbor Networks wrote in its
report that the attack toolkit it observed contained two cracked copies
of Card Recon. In that instance, it appears Card Recon was being used
for its intended purpose -- to find card numbers -- but for
cybercriminals.
If anything, the abuse of Card
Recon strengthens a case for its legitimate use. Ground Labs' Cavey said
the best defense is to remove sensitive data.
"They can't steal what is no longer there," he said.
No comments:
Post a Comment