Top Malware Families Turn Point-of-Sale Into Point-of-Theft

For retailers, and shoppers, the most wonderful time of the year is also the most dangerous.

point of sale terminal
Credit: Thinkstock

A wide range of choices for consumers is one of the things that make the American economy vibrant.

Unfortunately, a wide range of choices also exists in the world of cybercrime, where developers of malware focused on point-of-sale (POS) systems have created dozens of ways to steal payment card information from those same consumers.

Thanks to the catastrophic breach of retailer Target at this time last year, it is now widely known that the current – although now outgoing – payment card system is easily exploitable.

[ 8 headline-making POS data breaches ]

For a millisecond or so after a card with a magnetic stripe is swiped at a POS terminal, the information is unencrypted. In that millisecond, POS malware is able to copy it, and the criminals then collect it.

The U.S. is moving to payment systems with better security. By October 2015, the 1960s-vintage “swipe-and-signature” card system is expected to be mostly replaced either by a smart-card system called EMV or Chip-and-PIN, or to an even newer system using so-called near-field-communication (NFC) technology favored by tech giants like Apple and Google.

But that still leaves plenty of time, including the current holiday season (when POS terminals get their biggest workout of the year), for thieves to raid retailers and other credit card processors.

The problem for the defenders of credit card systems is not just the variety of POS malware families, but that they can evolve so quickly. Kevin McAleavey, a malware expert and cofounder of the KNOS Project, said most security technology still depends in large measure on identifying “signatures” of malicious software.

But antivirus software’s recognition of new signatures generally, “trails by hours, days and even longer each new variant of malware,” he said.

“This is one of the major reasons why a command and control network is part of commercial malware. It gives the controllers the ability to update and replace their malware as soon as it is detected by antivirus software, with improved, and once again undetectable, replacements,” he said.

McAleavey said “intrusion detection” systems provide some added benefit, but they also depend on matching the signatures of known malware at the perimeter of an organization’s network.

“Given that POS malware in particular is a well-funded criminal enterprise, the bad guys have the ability to keep ahead of those detection signatures as well,” he said.

Even though today’s obsolete payment card system is still in place, experts say there are steps that organizations and individuals can take to make themselves a more difficult target.

Karl Sigler, threat intelligence manager at Trustwave, noted that, “in many of the POS malware attacks this past year, the criminals got in due to weak security practices by third-party providers.”

That, as is widely know, is how the Target breach occurred. And third-party security is expected to improve, since the latest Payment Card Industry Data Security Standard – PCI- DSS 3.0 – includes more stringent requirements for third-party providers starting Jan. 1.

“However, businesses should do more,” Sigler said. “Their contracts with third-party providers should include clauses regarding data protection. They should also have their own layered security strategy in place so even if a criminal compromises a third-party provider’s password, he can still be stopped from gaining access to the business’s entire infrastructure.”

Other recommendations for organizations include:

  • “Allow only whitelisted applications on POS devices,” said Timo Hirvonen, senior researcher, Security Response, at F-Secure. “There should be a default-deny policy for all connections to and from the POS device.”
  • “Isolate the environment of POS terminals from 
direct Internet access through remote administration,” said Pierluigi Paganini, founder of SecurityAffairs, noting that, “this attack vector became the key for successful intrusions and RAM scraping malware distribution.
  • McAleavey recommends joining with other organizations in, “indicators of compromise" sharing solutions, “as proposed by the OpenIOC Framework created by Mandiant” – a security firm acquired a year ago by FireEye.
  • “Network and host-based monitoring for indicators of compromise, data exfiltration and malware communication plays a critical role,” said Mario de Boer, research director, Security and Risk Management Strategies at Gartner for Technical Professionals.
  • Use a POS system is only for that purpose, not as a workspace computer. “Organizations should segment their critical data – customers’ payment card data – from their non-critical data,” Sigler said.
  • Organize cyber intelligence and threat monitoring frameworks across the enterprise. “Traditionally these infrastructures are franchised-based and decentralized,” said Andrew Komarov, CEO of IntelCrawler. “That creates serious flaws in security.”
  • Have skilled security staff in place. “Security technologies such as intrusion detection and prevention, network access control, anti-malware technologies and others, are only as good as the people who manage them,” Sigler said.

Experts also caution that while the transfer of the PCI system to EMV or NFC will improve security significantly, it will not eliminate credit card fraud.

EMV, while it improves security at the POS terminal, it still leaves the user vulnerable for “card-not-present” transactions such as online purchases.

NFC holds the possibility of being even more secure. With ApplePay, the merchant never sees the credit card number, and the data is encrypted from the phone to the participating bank.

Still, as Paganini notes, “Any new technology has new risks. Security professionals have identified vulnerabilities and bugs in various versions of NFC technology, as well as ApplePay as a product.”

According to McAleavey, the best thing individual consumers can do is to sign up for two-factor authentication. “It won't prevent their credit card numbers from getting lifted by malware,” he said, “but with two-factor, where a secret code is transmitted to your phone or a special key fob to confirm the sale, that's a one-time use code. Once you've confirmed at the POS that it really is you, the approval goes through. If someone else tries to use the card, then they cannot provide the countersignature.”

This story, "Top Malware Families Turn Point-of-Sale Into Point-of-Theft" was originally published by CSO.

To comment on this article and other CIO content, visit us on Facebook, LinkedIn or Twitter.
Related:
Download the CIO October 2016 Digital Magazine
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.