by Nicholas D. Evans

Retail’s chess game with point-of-sale malware

Feb 14, 20141 min
CybercrimeDigital TransformationMalware

Credit: Image courtesy of

The recent point-of-sale (POS) malware targeted at major retailers is just the latest in a growing number of attacks in recent years which have gross fraud losses of $11.27 billion, up 14.6% over the prior year. The issue is particularly pressing in the U.S. since it accounts for 47.3% of fraud in credit and debit worldwide, while making up only 23.5% of overall number of transactions.–>

Protecting against malware, as well as protecting against other forms of cyber-attack, is a bit like playing chess. You need to know the characteristics of your opponents and their typical moves – and that’s just for starters. Just like chess, many of these hackers, have a playbook of moves that they’ll try out on their opponents to uncover vulnerabilities.

In our cybersecurity chess game, the POS malware attack goes something like this:

1. [e4 e5] Gain access to the network – This is typically via a stolen username and password of an employee or network-connected outsiders such as third parties. The usernames and passwords are often obtained via phishing. Attackers are then able to move around on the network (on your chess board) and scout for suitable targets such as POS systems.

2. [Qh5 Nc6] Locate a suitable target such as a POS system and upload malware – The POS malware intercepts the live customer transactions at the store and gathers data including the payment data, customer name, card verification value (CVV), account number, and expiration date from a credit or debit card.

3. [Bc4 Nf6?] Send the captured data to a drop location – The malware then sends the captured data from the terminals to a central collection point inside the network and then to an external “drop” location using a protocol such as FTP. The drop location typically uses compromised computers to house the stolen data.  

4. [Qxf7# (Checkmate!)] Sell the data on an underground marketplace – Finally, the data is sold on an underground cybercrime marketplace where criminals can “buy, sell and trade malicious software, access to sensitive networks, spamming services, credit, debit and ATM card data, PII, bank account information, brokerage account information, hacking services, and counterfeit identity documents”.

So what can be done to counter each of these moves? Of course, firewalls and anti-virus software can be used to guard against the most obvious moves, but this is like using a few pawns (albeit the solid, first line of defense at the start of the game) to try to protect the king in chess. What you really need is your entire set of pieces all in place, and in strategic positions, to provide a far stronger defense across the entire chess board.

To counter the first move, higher levels of authentication, good password hygiene, and even education about phishing attacks can go some of the way to help minimize vulnerabilities. To counter the second move, network segmentation can go a long way to better safeguard mission-critical or sensitive systems such as POS terminals. Encrypting sensitive data is another layer of defense that’s critical, although in the case of POS systems the data is often scrapped from RAM where it is unprotected. To counter the third move requires security information and event management (SIEM) software to help detect unusual and suspicious activities on the network such as machines sending data to external systems via FTP. Internet users and businesses can also play a small, but valuable role by taking precautions to prevent their machines from becoming compromised so they can’t be utilized as drop locations.

Finally, Chip-and-PIN credit and debit cards can also help since cardholders need to authenticate themselves with a PIN and the cards utilize an embedded microprocessor instead of a magnetic stripe to store the cardholder’s data. Like the other countermoves listed above, the Chip-and-PIN option is not a fool-proof solution since implementation requirements can vary (the PIN can be optional in some implementations). In addition, the technology makes it harder to clone cards for making fraudulent transactions, but does not make online or mobile payments more secure.

Of course, security vulnerabilities cannot be solved by technology alone and the key point with this simple example is that security requires a multi-layered approach and is everyone’s responsibility. It requires the entire community, not just the retailers and the card issuers, but the entire ecosystem – including consumers and businesses, and close collaboration between government and business. No one piece, or one move, in this chess game can deter a strong adversary, but collectively the pieces can all help to minimize exposure.

What are also needed are new tools and approaches towards cybersecurity that help to strengthen the overall security posture of an organization. An example is some of the newer tools for data cloaking and data masking that can help to hide sensitive portions of the network and sensitive servers and data even from insiders.

Finally, from an enterprise perspective, as software applications and business processes are re-designed to leverage social, mobile, analytics and cloud for digital transformation, it’s vital to include cybersecurity in the equation at the design stage and to take a defense-in-depth approach. The shift to social, mobile and cloud computing (and even to the Internet of things) means that CIOs and security professionals will have to secure the traditional 64 squares on their chess board, but also many other squares sitting out there in cyberspace.