This article does a deep dive into the Wawa hack that captured customer card data. It identifies that the malware was active for nine months and that it took a month for Wawa to find the malware after Visa warned it something was amiss.
This suggests Wawa lacked focus on its computer security, which is not uncommon in medium size merchants under pressure by competitors to lower prices while increasing service levels. In such a pressure cooker, “plumbing” is often assigned very limited resources unless changes are required for a strategic purpose – but deterring criminal organizations and state actors isn’t done on a budget it must react to facts on the ground.
One assumes Wawa met PCI compliance requirements, but when hackers get an unwitting employee to click on an email link connected to malware, it is no longer about hardening the perimeter; it’s about monitoring the soft underbelly of internal systems for subtle aberrations, such as user accounts sniffing into computers they have no right to access.
Visa notified Wawa using network-based machine learning tools that recognized a pattern of card usage at gas stations with fraud conducted shortly thereafter. A network-based payment fraud detection platform available from a wide range of suppliers (Mercator is evaluating 17 in our upcoming fraud platform vendor review) would also detect the same anomaly, although without payment network data it may take longer.
In addition, many IT departments now use machine learning to watch internal network activity to detect anomalies, such as those that should have been detected at Wawa. None of this is newsworthy, as it’s all been said before, but it certainly deserves repeating:
“Wawa has said malware was on its store systems starting after March 4, about eight months before Visa warned of the attacks on Nov. 14. Wawa said it found the malware on Dec. 10 and contained it by Dec. 12, but by then cardholder names, numbers, and expiration dates used in-store and at gas pumps were compromised. The breach went undetected for roughly nine months.
Now the popular convenience store chain is facing a wave of lawsuits accusing the company of failing to protect consumers from the massive data breach affecting potentially all of its more than 850 stores. At least nine lawsuits seeking class-action status had been filed in federal court in Philadelphia as of Tuesday. Some Wawa customers say that their credit and debit cards were fraudulently used after the data breach.
“What is most shocking to me, and should be most appalling to everybody, is how long this went undetected. How did Wawa just find this recently?” said Ron Schlecht, managing partner at Bala Cynwyd-based BTB Security. “They were obviously not monitoring at an appropriate level commensurate with their business volume and were unable to detect this anomalous activity.”
Wawa, which is based in Wawa, Delaware County, has stores in six states — including Pennsylvania, New Jersey, and Delaware — and the District of Columbia. The company, which had more than $12 billion in sales in 2018, serves about 700 million customers annually.
The lawsuits suggest that millions of customers could have been affected by the breach.
In August and September, Visa investigated two breaches at North American gas stations in which hackers deployed malware to harvest payment card data. In one case, someone sent an employee a phishing email with a malicious link that, when clicked, installed a “Remote Access Trojan” on the company’s network. Hackers eventually reached the firm’s point-of-sale system and scraped payment card data.
In another case, the gas station accepted card chips in-store and magnetic stripes at fuel pumps. The malware used in that attack targeted the magnetic-stripe data, meaning payment cards used at fuel pumps were at risk.
“The Visa reports make clear that it is user gullibility that is the attack vector,” Michael Levy, former chief of computer crimes at the U.S. Attorney’s Office for the Eastern District of Pennsylvania, wrote in an email. “A network may be hardened against an outside assault, but if you can get an employee inside the company to click on a link, and that link causes the employee’s computer to download malware, you have tunneled under the moat and [fire]wall. It was my guess that the perpetrators accomplished the Wawa breach in a similar fashion.”
Visa said one of the attacks it investigated was likely launched by a cybercrime group called FIN8, which often targets retail, restaurant, and hospitality merchants to steal payment account data. Such groups have “close ties with the cybercrime underground” and are easily able to sell the account information obtained in the attacks, according to Visa.”
Overview by Tim Sloane, VP, Payments Innovation at Mecator Advisory Group
