SISA says hackers are targeting payment switch server

Friday, 29 December 2017 00:00 -     - {{hitsCtrl.values.hits}}

SISA, a global payment security specialist firm, has released this global advisory in the interest of proactively securing the payment card industry based on recent findings by SISA forensics lab.

SISA’s payment forensic team has identified that malicious scripts are being injected into the payment switch server of banks for generating fake response messages to the request received from the card schemes.

SISA said malicious script is being injected into the payment switch application server that is configured for various payment brands in the banks for generating fake response messages to the request received from the payment brands. 

Malicious script is capable of collecting relevant payment card data (i.e. card number, expiry and Track2 data as well as clone the customer cards and use them for the withdrawal across the globe. The malicious script is able to analyze the incoming transaction request from payment brands and generate a fake response back (presuming the request has come from bank switch application). As the malicious script only generates the fake responses, no details of the incoming transaction request or outgoing transaction response are logged in the switch application logs.

In the light of the recent finding SISA suggests industry to implement internationally renowned security standards like PCI-DSS and PA-DSS. SISA also urges regulators and government to mandate these security standards to be followed religiously. Ensure that your security operations centre is intelligent enough to identify the above indicators of compromise. SISA also suggests to get in touch with payment forensic investigator within 24 hours of such suspicion. Initiate imaging of switch application memory and hard disk for payment forensic investigation (PFI).

Controls to be implemented in the switch application server and securing network:

nEnable two factor authentication for any users to login to the switch application server

nEnable IP table to restrict only authorised systems access to the switch server

n Conduct a credential based vulnerability assessment scan.

nReset the password of all users in the switch application server.

n Reach out to your payment forensic investigator within 24 hours of any suspicion.

SISA is the payment forensic investigator who is credited worldwide for investigating some of the most high profile payment breaches.