Data Security Attacks on POS Systems: Hitting Retailers Where It Hurts

Data Security Attack

Data security attacks and cyber breaches are making headlines like never before, with some of the largest and most well-known brands—LinkedIn and Yahoo among them—falling victim. With the frequency and pervasiveness of these attacks, executives in companies of all sizes and across industries are left asking, “If these businesses can be compromised, are we next?”

But rather than being consumed by FUD (fear, uncertainty, and doubt), it’s time to be constructive and proactive to address these attacks. The new reality is when, not if, a data compromise will occur. Embracing the fact that these criminal acts are lucrative and difficult to prosecute has created a new paradigm in the retail landscape. As long as computers and the Internet serve a central role in commerce, these attacks are not going away.

POS: A Major Target

In recent years, we have seen a tremendous amount of data leakage from retailers that have had their payment-card systems compromised. This not only includes credit card information stolen from the point-of-sale (POS) registers or terminals, but other sensitive customer information as well, such as address, date of birth, telephone number, email addresses, and more.

- Sponsor -

Statistics show that 50 percent of the readers of this article have had to replace one or more credit cards in the last 24 months due to a point-of-sale hack. This is of great concern, to say the least. In 2014, the FBI issued an alert to retailers indicating that we had seen just the tip of the iceberg as far as the emergence of malware designed to penetrate and capture our sensitive data. True to this warning, more and more infections and data security attacks regarding POS systems have been reported since then.

The good news is that the situation isn’t hopeless. However, it does require proper planning and investment in new approaches to skill development and technology implementation. It also requires innovative ways to deconstruct and analyze how these targeted attacks evolve within your networks.

Payment-Card Data Theft

Stealing payment-card data has become an everyday crime that yields quick monetary gains. The goal is to steal the data stored in the magnetic stripe of payment cards, (optionally) clone the cards, and run charges on the accounts associated with them. Criminals have been physically skimming payment cards, including both debit and credit cards, for years. Common techniques for credit card skimming include:

  • Making a rub of the card
  • Rigging ATMs or gas pumps with fake panels that steal data
  • Modifying store POS terminals
  • Using off-the-shelf hardware keyloggers on cash registers

These techniques all require physical access to the cards or the devices used to process them. This introduces a high risk of getting apprehended. Plus, skimmers cannot be readily mass deployed for maximum effectiveness. Therefore, criminals have begun changing their focus to using malicious software to steal payment-card data—primarily credit card data.

Credit Card Hacking 2.0

POS RAM scraping is a software methodology for stealing credit card data. After the merchant swipes the credit card, the data on the card temporarily resides in plain-text format in the POS software’s process memory space in random access memory (RAM). The magnetic stripe on the back of the credit card contains three data tracks. Credit cards use the first two. When the credit card is swiped, data from these tracks are read into the POS software’s process memory.

POS RAM scraper malware retrieves a list of running processes on the victim machine, loads each process’s memory space in RAM, and searches for the credit card data residing there. The malware scrapes the payment-card data from RAM and exfiltrates it to the cybercriminals. The stolen tracks’ data can be used to physically clone the credit card or can be used in fraudulent card-not-present transactions, meaning online purchases.

Promoting Data Security beyond Compliance

POS data security can no longer be a checkmark on an audit to-do list. It has become a business driver—an integral component of business operations. Proactivity is a must because every business that possesses or processes credit card payments is a target for POS data theft.

To effectively protect against POS RAM scraper attacks, businesses need to protect all aspects of their operating environments, not just the POS systems. Attackers can gain initial entry into the corporate network using compromised credentials or via phishing emails. From there, they can locate the POS systems and infiltrate them.

The key to setting up a strong defense is to understand the nature of the threat. In the case of POS RAM scrapers, this means understanding the malware’s attack chain. Through countless hours of research, security analysts have been able to see trends and patterns on how these attacks persist and, ultimately, the success that they have in stealing sensitive data.

As companies formulate defense strategies, they should keep in mind the following:

  • Size of the organization—Large organizations have complex networks with thousands of connected devices, multiple locations, and so on. Data security solutions must be scalable, should be able to defend complex networks, and must be centrally managed.
  • Costs—Data security solutions can become expensive, especially when the organization requires multi-tiered defenses. Businesses should factor in the costs of in-house and/or externally contracted IT services required to manage the deployed security solutions.
  • Multi-platform support—Many businesses support several major operating system (OS) platforms in their operating environments, so security solutions must be able to protect all of them and provide centralized management of the protected devices.
  • Bring your own device (BYOD)—Organizations are increasingly moving toward implementing BYOD policies as a means of cutting costs and giving employees flexibility. BYOD policies introduce new challenges regarding securing employee-owned devices that are accessing the organization’s resources.

Consumers and end users will also have to adopt a “shared-security” attitude. This includes taking steps to ensure that their BYOD devices are protected. As we move to a more frictionless form of payment capability, we must ensure that the devices that we enable to carry out these payment transactions are pristine. We will also have to embrace multi-factor and biometric capabilities to help thwart future attacks.

Time for Forward Thinking

Implementation of EMV (Europay, Mastercard, Visa) chip-and-PIN technology as well as next-generation payment platforms and e-wallet capabilities helps reduce the aforementioned POS attacks, but doesn’t guarantee the complete elimination of payment attacks. Retailers and financial institutions need to work diligently to determine the possible failure modes of their own systems.

Retailers should be spending money on creating rich POS payment applications that are securely tied to our mobile devices and that can leverage cheap technology to process and transmit transactions. In my opinion, this is preferable to spending hundreds of millions or billions of dollars implementing chip-and-PIN technology that will be cumbersome for consumers to leverage in the coming years. At the rate that this technology is advancing, this form of payment will be outmoded quickly.  We should demand more from our companies and challenge them to think much bigger.

In January 2014, the FBI warned that we hadn’t seen the end of the online POS breaches. The agency was correct. The list has continued to grow and hasn’t stopped yet. Dozens of other organizations that process payments have fallen victim to targeted attacks. It’s time to be forward thinking about where this market is going and spend money on the right payment platform that will scale for the masses for the foreseeable future.

It is crucial for retailers to implement breach-detection capability to deconstruct and analyze suspicious campaigns. Finding out about a data breach sooner rather than later means maximizing the chances for damage control. Knowing is 90 percent of the battle in stopping exfiltration in your organization.

As a loss prevention professional, it’s not beyond your scope to ask your IT department hard questions about what they are doing to prevent these thefts. In fact, every employee should feel comfortable asking these questions. In today’s climate, we truly are all risk managers.

History of POS RAM Scraping

The earliest evidence of POS RAM scraping was in the Visa data security alert issued on October 2, 2008. Back then, cybercriminals attempted to install debugging tools on POS systems to copy credit card data from RAM. POS RAM scrapers have quickly evolved since then to use multiple components and exfiltration techniques.

History of POS RAM Scraping Timeline
History of POS RAM Scraping Timeline

To get a better perspective of the evolution of POS RAM scraper malware families, see the timeline diagram, organized by year of discovery. Note that a malware variant may have existed long before it was discovered, so it is difficult to track exact dates. Although most people may not have heard of these malware variants, this diagram will still show you how the frequency has continued to increase over the last several years.

A couple of notes regarding the timeline diagram:

      • Seven unique POS RAM scraper families were discovered between 2009 and 2013.
      • Nine unique POS RAM scraper families were discovered in 2014 alone
      • The arrows connecting the bubbles indicate either a direct evolution or technology reuse.

The new reality is when, not if, a data compromise will occur. Embracing the fact that these criminal acts are lucrative and very difficult to prosecute has created a new paradigm in the retail landscape. As long as computers and the Internet serve a central role in commerce, these attacks are not going away.

How Do Hackers Infiltrate?

Retailers and other businesses that process credit cards, irrespective of their size, are data-theft targets. The most convenient place to steal credit card data is from the RAM of POS systems where the data temporarily resides in plain-text format during transaction processing. The challenge for the cyber criminals is to find a reliable method to infect POS systems. Some of the common infection methods are described below.

Inside Jobs. The inside job is the most difficult infection vector to prevent, since it involves people that businesses trust or those who can abuse their privileges to commit crimes. These could include disgruntled or disillusioned employees out to take revenge or even just unscrupulous individuals out to make some quick cash by victimizing their employers.

Phishing and “Social Engineering.” POS RAM scrapers are never spammed out to millions of potential victims. Instead, they are sent to a chosen few targets via phishing emails with effective social-engineering lures. Small businesses often use their POS servers to browse the Internet and check email, thus making them easy targets of phishing attacks. It’s not a bad idea for loss prevention professionals to look into developing company policy against using POS servers this way.

Vulnerability Exploitation. New software vulnerabilities are disclosed and patched every month by their respective vendors. Only a handful of these are successfully “weaponized.” Once weaponized, the vulnerabilities will be used in cyber attacks for years. These exploits are able to successfully compromise systems when IT has not rigorously applied these vendor patches. The reality is that many POS servers are still running outmoded, unsupported operating systems.

PCI-DSS Non-compliance Abuse. Payment Card Industry Data Security Standard (PCI-DSS) refers to a set of requirements designed to ensure that companies that process, store, or transmit credit card information maintain a secure environment. PCI-DSS does not offer new secure technologies to protect electronic payment systems. It does provide requirements to build up additional layers of security controls around controls that already exist. Hardening systems and networks (making them more secure) is not a trivial task. Companies that lack expertise or resources often incorrectly configure their POS environments, making them susceptible to malware attacks.

Targeted Cyberattacks. Targeted POS RAM scraper attacks are attacks aimed at large businesses with millions of credit cards. There are six different stages of these attacks, from ensnaring a victim to exfiltrating stolen data to the black market. Some of the most malevolent attacks of all, these targeted assaults are meticulously planned and well executed, making them notoriously difficult to detect.

The “inside job” is the most difficult infection vector to prevent, since it involves people that businesses trust or those who can abuse their privileges to commit crimes. These could include disgruntled or disillusioned employees out to take revenge or even just unscrupulous individuals out to make some quick cash by victimizing their employers.

This article was originally published in 2015 and was updated November 9, 2016.

Stay Updated

Get critical information for loss prevention professionals, security and retail management delivered right to your inbox.