Recent high-profile attacks have highlighted a growing trend: point of sale (POS) systems are being exploited by attackers to gain credit card details and other personal data.
In the US, two recent attacks have drawn most of the attention, with Target disclosing it had lost 40 million card details, and perhaps as much as 110 million customer records. Neiman Marcus was also attacked, with lower but still considerable losses: about 1.1 million records.
It appears Target and Neiman Marcus were both hit with variants of the same BlackPOS malware, which has Russian origins but is available for purchase on underground markets. BlackPOS scrapes the RAM of infected POS systems to capture card data, before uploading it to the attacker. It is believed several other retail operations have been targeted, suggesting a coordinated programme of attacks.
This is a continuing trend - according to payment card security firm Trustwave, nearly half of global cyber-attack victims are retail operations. This was not Target's first outing either - it was breached in 2005 by Albert Gonzalez who, with his Russian allies, stole more than 170 million credit card details in a three-year crime spree. Retail operations are attractive targets for hackers, since the most valuable data - credit card numbers - is close to the attack surface, and many victims use outdated PCs as POS terminals, or leave other vulnerabilities. Gonzalez, for example, often attacked weak wireless access points to gain access to retail networks.
Local targets
The international patterns are mirrored in South Africa. In 2013, several South African fast food operations were targeted by the Dexter malware, with KFC hit especially hard. Thousands of terminals were infected, with costs running to tens of millions of rands. Dexter was first identified in 2012, as malware specifically targeting POS systems around the world to steal payment card details - the malware is customised for each attack to thwart detection. In 2012, payment processor PayGate suffered a breach, potentially leaking many thousands of consumers' card details.
Worldwide, many millions of credit card details have been stolen in the last few years. The payment card industry does specify data security requirements, with stringent requirements published as PCI DSS (payment card industry data security standard) and recently updated to PCI DSS 3.0. However, Target and Neiman Marcus were PCI compliant, raising questions about the effectiveness of the requirements, and its implementation.
With toolkits like BlackPOS and Dexter readily available to criminals, any retail operation can find itself targeted, particular those with loyalty schemes - the additional personal data is an extra incentive to an attacker. Typically, malware will be customised to avoid detection, with attacks playing out over several months to maximise the data gathered (in Target's case, an estimated 11GB of data was transferred out of the organisation).
The banks, which absorb most of the financial damage, are bracing for future attacks, and their preparations have in fact reduced the actual levels of card fraud significantly, though even in those cases there remains the elevated risk of ongoing fraud or identity theft with other stolen data.
Mobile POS will be next
Mobile point of sale (mPOS) systems are a growing segment, giving merchants, particularly small operations, the ability to process payments on a smartphone or tablet. Internationally, products such as Square are gaining momentum, while local options are also entering the market, such as locally invented Thumbzup, the brainchild of Stafford Masie, and supported by Absa under the Payment Pebble brand.
While convenient, mPOS is also an attractive target for attack. Mobile malware could potentially target the payment data, but more concrete attacks have already been demonstrated. Jon Butler and Nils, researchers at MWR Infosecurity, have demonstrated attacks against mPOS devices, claiming to have found vulnerabilities in the majority of mPOS devices in the market.
The malware toolkits targeting POS will certainly have mPOS in their sights in the near future, and the ongoing trend of attacks against retailers and POS systems is set to continue for the foreseeable future.
Share