Since the high-profile Target breach in 2013, point-of-sale (PoS) malware has become prevalent in the targeting of numerous retail organizations. But going forward, policy and process changes may finally mitigate this threat in 2015.
In cases where credit card data is stolen through website breaches, the exposed data usually consists of the card numbers, expiration dates, cardholder names, and card security codes. However, with this data alone, it is not always possible to accurately recreate what can be found on a card’s magnetic strip. In the criminal marketplace, card track data is therefore generally more highly valued because it can be used in multiple ways, including manufacturing counterfeit credit cards.
Hence the rise of PoS attacks.
By infecting terminals with malware specifically designed to steal credit card information as the cards are swiped by customers, attackers have been able to collect data for hundreds of thousands of credit cards, from an ongoing list of victims: Target was the beginning, but since then, breaches at Home Depot, Sally Beauty and even parking operators have nabbed headlines for PoS breaches.
The tide may be about to turn however, according to CrowdStrike’s annual Global Threat Intel Report, thanks to industry groundswell support for chip and PIN cards that use a combination of the traditional PIN number and an embedded microchip that encrypts vital information.
“PoS malware experienced a great deal of success during 2014; however, upcoming changes may force changes in payment-processing systems in the US,” the firm said in the report. “For example, several major credit card companies are expected to institute new policies in October 2015 that will shift liability for fraudulent transactions to whomever is using the weakest payment-processing systems.”
Additionally, several alternative solutions, such as Apple Pay and Google Wallet, have started becoming adopted, allowing for payment via token systems.
“In these systems, rather than a card number being transmitted, a one-time token is passed from a consumer’s device to the retailer,” said researchers. “The advantage to this system is that in the event of the token being obtained by an unauthorized party, it cannot be reused for later transactions.”
Adoption of these newer payment processes should provide consumers with more secure payment methods and make it more difficult for criminals seeking to make money off these systems.
CrowdStrike added that there will be some lag time in 2015 as retailers and banks move to put these improvements in place, during which cybercriminals will still be able to exploit the current, antiquated payment processing systems in the US. At the same time, PoS malware is evolving.
“Malware such as BlackPoS [responsible for the Target breach] requires a bit of strategic planning on the part of the adversary; much of the system lacks the point-and-click intuitive nature of commodity botnets,” it said. “For less-organized or less-skilled adversary groups, an off-the-shelf kit such as Dexter PoS may allow for exploitation and offensive capabilities that may not otherwise be possible.”
By late 2014, the source code for Dexter was publicly available on several criminal forums. The malware scans memory for both Track 1 and Track 2 credit card data.
“Dexter offers an adversary a clean, simple control panel, which allows for infected host management and viewing of obtained data,” CrowdStrike said.
In 2014, other kits similar to Dexter, including vSkimmer and JackPoS, were generally found to be effective in identifying and exfiltrating any found data, the firm added.