One of early 2016’s cyber-security incidents consisted in the Hyatt hotel chain disclosure that almost half of its global payment processing systems endpoints have been infested with malware, active for 6 months during 2015. As the Kasperky Lab blog pointed out, the situation is not singular and PoS malware (point-of-sale systems malware) that harvests data is more and more common (see also the Hilton or the Mandarin Oriental chain cases from 2015).
Depending of the nature of a business, when processing clients’ cards is involved, the processing terminals are a high-level target. Stealing financial data and credentials can be very appealing to cyber-criminals, either because of the vast amount of accessible data or because of the database high-level of interest (as in is luxury businesses).
PoS malware – an overview
When malicious software is specially designed to infect point-of-sale terminals and steal customer payment data, it is categorized as PoS malware. Most often, cyber-criminals use this method of data theft in view or selling the data afterwards.
The memory scraper software (Trojan RAM scrapers) involved in this malicious process identifies the track 2 credit card unencrypted data in the brief time (under one second) it is present in the system. It subsequently harvests it and delivers the information to the intruder’s computer (instantly or on demand). The attack qualifies as a Man-in-the-Middle type of exploit.
The resulting damage affect the customers whose data had been stolen, as well as the company on whose devices the theft has taken place, by tarnishing its reputation. As we have seen in the introductory example, PoS malware is a silent factor that infiltrates the system and may remain undiscovered for longer periods of time, a thing that serves the intruders well.
Another famous instance of PoS malware infection is Target’s, in which the collected data went to an intermediate location before reaching its real destination, making it even more difficult to identify the criminals.
The question of how does the malicious code end up in the PoS system triggers a simple answer: the payment terminals are like any computer systems, endowed with operating systems, that in most of the cases originate from the manufacturers. The companies that use the terminals have to keep them updated, and also may opt for tech support from the vendors. The connected nature of the PoS system in relation with the other company computers opens the chances for various points of vulnerability.
The year 2005 marked the debut of PoS cyber-attacks, while RAM scrapers entered the official records in 2008. In seven years, with a remarkable history in 2014 (the year of BackOff, ChewBacca, Debacal, JackPOS, Soraya, BrutPOS, Poslogr, NewPosThings, and FrameworkPOS malware strains), this type of attacks gained traction.
PoS malware in 2016
With a bit of perspective on the subject, we may move on to the current situation of PoS malware. Listed among the first five vulnerabilities for 2016 by Security Intelligence, this type of malware is critical because the vendors still do not have a global strategy to counteract the attacks. Specific flaws come with specific PoS models and all retailers can do is keep informed, apply the best practices in the field and follow the general cyber-security basics, like updating their systems and defense mechanisms regularly.
Now that the chip-and pin cards are the standard, a half-breath of fresh air comes to the PoS owners, in view of the stronger cyber-security involved, compared to the magnetic stripe cards and associated PoS. However, this could mean only a change in the concerned malware structure, since chip-and-pin cards have been is use all around the globe for a while, without deterring the cyber-attackers.
In fact, PoS malware even went to a new level, targeting ticket vending machines and electronic kiosks. Here you may check an IDG report dating from 2014.
A more detailed situation on PoS malware at January 2016 level mentions that beyond the financial repercussions triggered by malware attacks, the ensuing lack of trust that affects customers adds to the losses supported by retailers.
In December 2015 a malware invasion called BlackPoS targeted healthcare and retail operators and their clients and stole credit card data during holiday season. Researchers also reported findings of stolen CCTV live feed, suggesting future cyber-crime purposes.
New strains of dedicated PoS malware were also detected last year (see an example here), but then again this is the usual state with malware strains: new types appear continuously, which makes monitoring and alerts very important, especially in the financial and retail business.
Preventive measures against PoS malware
- The first step in maintaining your cyber-security status, whether as a company or a client, would be to keep informed. Try and access daily security reports online by following specialized publications, in order to choose your vendors/providers wisely and stay in touch with the latest developments;
- As a system owner, make a habit out of performing regular updates and periodical system checks; from time to time in might be wise to employ a specialized cyber-security audit; instruct your employees that access the connected systems on cyber-protection best practices and provide cyber awareness training; implement a consistent security strategy and generally follow the best practices in the field, since doubling the cyber-security compliance measures with a preventive attitude in never wrong;
- Encrypting the data deters most of the cyber-attackers, by making the data less accessible and discouraging the attackers that go for an easy capture;
- The last resort in dealing with malware-harvested data consists in blocking the data exfiltration process; a clever method of detecting abnormal data exports associated with the operating system always helps in triggering the alarm; in view of this, some cyber-security solution vendors offer special features (Endpoint Application Controls).
- The most efficient method of lowering the security incident risks would consist in acquiring specialized services from a cyber-security provider – this way real-time protection regularly gets updated as the provider stays in touch with the latest developments regarding endpoint malware.
Apparently, with the growing adoption of chip-and-pin cards (and the resulting decrease of card payment issues), the online payment environment will register more security incidents.
Solution providers in PoS cyber-security
A few examples available online can relevantly illustrate the way such services are conceived and the level of protection provided.
Symantec provides Symantec Embedded Security: Critical System Protection, a prevention and detection policy-based approach that lets users configure the monitoring and protection features according to their particular needs.
McAfee dedicated product is called Endpoint Protection and is also customizable, letting users to define their firewall rules via application lists. Some users mention the RAM issue (it consumes a lot of RAM) or the need to re-whitelist applications at every update.
The same black/white-listing system for applications is specific to TrendMicro’s Endpoint Application Control, too. Their local console is designed to allow user management and continuous monitoring and insights.
