Once again, remote access applications prove a major security vulnerability for retailers.
This is not a new problem. Every year, the Verizon Data Breach Investigation Report reiterates the importance of choosing a secure remote control provider. For those who fail to do so, these applications can pave an in-road for cyber criminals... who happen to be very expensive guests.
Security Alerts: where they come from, why they matter
When a retailer gets hacked, often an investigation follows.
Usually, the credit card company requires the merchant to hire a Payment Card Industry Forensic Investigator. Because hacks are not uncommon, the average card company probably sees a few hundred PFI reports each year.
By watching those reports as they roll in, the card company can identify new vulnerabilities as they emerge... as well as not-so-new vulnerabilities. Whenever they see a confirmed threat pattern, they issue an alert to help their customers protect themselves.
Advice from the July 2014 Visa Security Alert
According to the Visa report, malicious remote access is on the rise in point-of-sale (POS) environments:
“The circumstances around multiple merchant compromises in the last several months suggest an actor or group of actors are targeting merchants who share common POS integrators or remote support vendors.“
They go on to name several popular remote access solutions which, if used maliciously, could put a retailer’s payment card data at risk:
- Microsoft Remote Desktop
A cyber criminal who wants to exploit this type of application has several options. All it takes is an outdated operating system, weak password or ineffective firewall for the wrong person to gain access to the powerful system privileges that remote access provides.
This explains why multi-factor authentication is so important. To rely on single-factor authentication alone introduces a completely unnecessary risk to one’s remote access strategy.
Visa ends their report with a list of vital security practices that every retailer should put in practice immediately; two-factor authentication is part of that picture: “Always use two-factor authentication for remote access.”
Examine your Remote Access Solution carefully
Visa urges merchants and payment system stakeholders to scrutinize their preferred remote access solution for competent backend security offerings. For example, some vendors don’t support multi-factor authentication. That’s a problem.
This level of authentication is a crucial safeguard in the cyber defense tool kit. By requiring each user to confirm their identity at a granular level by completing two or more forms of authentication – for example, demonstrating “something you have (a device) as well as something you know (a password)” – your organization can eliminate a whole category of needless risk.
We’ve recently broadened the multi-factor authentication options for Netop Remote Control. Click here to find out how our offerings have expanded.