Visa has recently found an increase of criminal instances of keystroke logging (also referred to as key logging) through the course of analyzing payment card data security breaches. This criminal tactic intercepts every stroke typed into a victim’s computer keyboard and records this information to be retrieved. Most of their victims have no idea this is occurring. In the hospitality industry and for other merchants, this means that without proper safeguards in place, you may be unknowingly transmitting your customers’ payment card information and other sensitive data directly to hackers.

Key loggers, like most forms of malware, can be distributed as part of a Trojan horse, a virus or other malware, sent via e-mail (as an attachment or by clicking to an infected Web link or site) or, in the worst cases, are installed by a hacker with unauthorized direct access to a victim’s computer.

The particular key logger malware identified by Visa is equipped to send payment card data to a fixed e-mail or IP address accessible to the hacker. In these instances, the hacker is able to install key logger malware on the point of sale (POS) system.

This system vulnerability is generally due to insecure remote access and poor network configuration which allows criminals unauthorized and unfettered access. Based on forensic review of the malware, it uses file transfer protocol (FTP) and simple mail transfer protocol (SMTP) on default ports (20, 21 and 25 respectively) to send data out of the network.

Recommended Mitigation Strategy
Although key loggers can be difficult to detect, the following measures that support an organization’s Payment Card Industry Data Security Standard (PCI DSS) compliance should be used to mitigate the risk of exposure to critical systems, such as POS systems, payment processing servers, database servers or other servers where cardholder data resides:

Remove unnecessary remote access. If remote connectivity is required, secure remote access by turning on remote access only when needed. Do not use default or trivial passwords; only use remote access applications that offer strong security controls. Always use two-factor authentication.

Implement a secure network configuration. Organizations must have a dedicated firewall and must implement strict network traffic ingress (inbound) and egress (outbound) filtering to only allow those ports/services necessary to conduct business. Disable FTP, SMTP and other insecure ports if your organization does not require these services.

Constantly observe which software programs are installed on their systems, determine any unknown applications, and take appropriate actions (e.g., remove, disable, configure properly, etc.) to mitigate the risk of a compromise.

Monitor your network and host. Monitoring can alert organizations whenever a software application attempts to contact malicious IP addresses or when malicious IP addresses attempt to contact your network. This action will give organizations a chance to prevent key loggers from exporting sensitive data from the network.