Point-of-Sale (POS) Malware: Will We Ever Get Past It?
It began a relatively short while ago (for this field, anyway) with just a few singular cases. Since then, it has grown to become one of the major threats professionals are fighting hard to mitigate. We’re not talking about Ebola or terrorism; we’re talking about Point-of-Sale (POS) malware, a major threat to everyone’s credit card information.
POS malware enables fraudsters to steal millions of credit card details on a regular basis. It affects business large and small, and threatens anyone who uses their credit card to make purchases in physical stores. Just imagine: one infected POS machine can steal hundreds if not thousands of credit card details!
But credit cards have been targeted forever!
It’s true that stealing credit card records has been a hacking threat for quite some time now. They’re an attractive target for fraudsters because they’re relatively easy to “cash out” (that is, it’s relatively easy for a hacker to turn the stolen information into cash). Find out how much cash hackers make from stolen credit cards and other credentials.
Until POS malware surfaced, one of the ways fraudsters stole credit card records was through a hacked “skimmer” – a device commonly used at restaurants and other merchants where the credit card is swiped and the skimmer reads and records the card information for later use. Fraudsters then realized they could hack directly into the internal networks of brick-and-mortar merchants. This technique led to the TJMaxx breach in 2007 and RBS Worldpay breach in 2008. Of course, the Point-of-Sale malware that’s being used today easily eclipses all these breaches.
Credit card skimmer device
Why target Point-of-Sale terminals?
Point-of-Sale terminals, the ones you’ll find in every business across the globe—from Best Buy to IHOP to the local candy store in the middle of town—used to be custom-built for the job, running their own software and hardware. These days, many Point-of-Sale terminals are fully-fledged computers, running the Windows operating system and even having access to the internet.
With the proliferation of such advanced machines, fraudsters quickly realized there was a new opportunity awaiting them. Already experts in developing malware and infecting machines, hackers set their sights on these advanced POS devices, creating dedicated malware just for them. This malware is designed to sit stealthily on the infected Point-of-Sale terminal, scrape the credit card data from the machine as the card is being swiped, and send the details of all the collected cards to a central location.
It didn’t take long for the underground to start brimming with various types of malware, including PoSeidon, Jack POS, BlackPOS and others, that specifically target POS devices. At first, this malware was used in conjunction with gaining access to internal networks, similar in concept to the TJMaxx and Worldpay breaches. Indeed, Target was one of the organizations affected by such a scheme, having BlackPOS installed on their Point-of-Sale terminals.
It gets worse.
The threat of POS malware is running strong, and the tsunami of Point-of-Sale malware hasn’t stopped at the big retailers. Small retailers, mom-and-pop shops, local and regional stores and others are all a target. With their POS terminals being connected to the internet, there’s an opportunity for hackers to inject their malware. Even those retailers that remain disconnected risk getting hacked, as an accomplice to the fraudster could place a USB loaded with malware into the merchant’s terminal, immediately infecting it and compromising any card swiped through it.
The fact that POS-infecting malware comes in kits you can buy online also helps with their popularity. Even the most technically unsophisticated fraudster can now operate their own network of infected terminals, collecting credit cards from unsuspecting victims and merchants. The compromised credit cards end up in an automated store. Fraudsters buy them, encode their information on the magnetic strip and go for a shopping spree!
Is there light at the end of the tunnel?
We’ve reached a point where shopping at any physical store can mean getting our credit card information stolen and sold in the black market. If Target and Home Depot were unable to stop these attacks, how could we expect small local stores to have any chance at even realizing they’ve been hit? Even if dedicated solutions are developed (and they are), it would be hard pressed to expect local stores that are not security-conscious to not only implement them, but implement them correctly. Until we’ve figured out a way to require that all merchants big and small address this threat, the scary situation we’re in will not go away.