Top malware families turn point-of-sale into point-of-theft

A wide range of choices for consumers is one of the things that make the American economy vibrant.

Unfortunately, a wide range of choices also exists in the world of cybercrime, where developers of malware focused on point-of-sale (POS) systems have created dozens of ways to steal payment card information from those same consumers.

Thanks to the catastrophic breach of retailer Target at this time last year, it is now widely known that the current -- although now outgoing -- payment card system is easily exploitable.

[ 8 headline-making POS data breaches ]

For a millisecond or so after a card with a magnetic stripe is swiped at a POS terminal, the information is unencrypted. In that millisecond, POS malware is able to copy it, and the criminals then collect it.

The U.S. is moving to payment systems with better security. By October 2015, the 1960s-vintage "swipe-and-signature" card system is expected to be mostly replaced either by a smart-card system called EMV or Chip-and-PIN, or to an even newer system using so-called near-field-communication (NFC) technology favored by tech giants like Apple and Google.

But that still leaves plenty of time, including the current holiday season (when POS terminals get their biggest workout of the year), for thieves to raid retailers and other credit card processors.

The problem for the defenders of credit card systems is not just the variety of POS malware families, but that they can evolve so quickly. Kevin McAleavey, a malware expert and cofounder of the KNOS Project, said most security technology still depends in large measure on identifying "signatures" of malicious software.

But antivirus software's recognition of new signatures generally, "trails by hours, days and even longer each new variant of malware," he said.

"This is one of the major reasons why a command and control network is part of commercial malware. It gives the controllers the ability to update and replace their malware as soon as it is detected by antivirus software, with improved, and once again undetectable, replacements," he said.

McAleavey said "intrusion detection" systems provide some added benefit, but they also depend on matching the signatures of known malware at the perimeter of an organization's network.

"Given that POS malware in particular is a well-funded criminal enterprise, the bad guys have the ability to keep ahead of those detection signatures as well," he said.

Even though today's obsolete payment card system is still in place, experts say there are steps that organizations and individuals can take to make themselves a more difficult target.

Karl Sigler, threat intelligence manager at Trustwave, noted that, "in many of the POS malware attacks this past year, the criminals got in due to weak security practices by third-party providers."

That, as is widely know, is how the Target breach occurred. And third-party security is expected to improve, since the latest Payment Card Industry Data Security Standard -- PCI- DSS 3.0 -- includes more stringent requirements for third-party providers starting Jan. 1.

"However, businesses should do more," Sigler said. "Their contracts with third-party providers should include clauses regarding data protection. They should also have their own layered security strategy in place so even if a criminal compromises a third-party provider's password, he can still be stopped from gaining access to the business's entire infrastructure."

Other recommendations for organizations include:

  • "Allow only whitelisted applications on POS devices," said Timo Hirvonen, senior researcher, Security Response, at F-Secure. "There should be a default-deny policy for all connections to and from the POS device."
  • "Isolate the environment of POS terminals from (direct Internet access through remote administration," said Pierluigi Paganini, founder of SecurityAffairs, noting that, "this attack vector became the key for successful intrusions and RAM scraping malware distribution.
  • McAleavey recommends joining with other organizations in, "indicators of compromise" sharing solutions, "as proposed by the OpenIOC Framework created by Mandiant" -- a security firm acquired a year ago by FireEye.
  • "Network and host-based monitoring for indicators of compromise, data exfiltration and malware communication plays a critical role," said Mario de Boer, research director, Security and Risk Management Strategies at Gartner for Technical Professionals.
  • Use a POS system is only for that purpose, not as a workspace computer. "Organizations should segment their critical data -- customers' payment card data -- from their non-critical data," Sigler said.
  • Organize cyber intelligence and threat monitoring frameworks across the enterprise. "Traditionally these infrastructures are franchised-based and decentralized," said Andrew Komarov, CEO of IntelCrawler. "That creates serious flaws in security."
  • Have skilled security staff in place. "Security technologies such as intrusion detection and prevention, network access control, anti-malware technologies and others, are only as good as the people who manage them," Sigler said.

Experts also caution that while the transfer of the PCI system to EMV or NFC will improve security significantly, it will not eliminate credit card fraud.

EMV, while it improves security at the POS terminal, it still leaves the user vulnerable for "card-not-present" transactions such as online purchases.

NFC holds the possibility of being even more secure. With ApplePay, the merchant never sees the credit card number, and the data is encrypted from the phone to the participating bank.

Still, as Paganini notes, "Any new technology has new risks. Security professionals have identified vulnerabilities and bugs in various versions of NFC technology, as well as ApplePay as a product."

According to McAleavey, the best thing individual consumers can do is to sign up for two-factor authentication. "It won't prevent their credit card numbers from getting lifted by malware," he said, "but with two-factor, where a secret code is transmitted to your phone or a special key fob to confirm the sale, that's a one-time use code. Once you've confirmed at the POS that it really is you, the approval goes through. If someone else tries to use the card, then they cannot provide the countersignature."

Join the CSO newsletter!

Error: Please check your email address.

Tags Targetsecuritylegalmalwarecybercrime

More about AppleFireEyeF-SecureGartnerGoogleNFCTrustwave

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts