A Point-Of-Sale (POS) terminal is a computerised version of a cash register. It has the ability to record and track customer orders, process credit and debit cards, connect to other systems in a network, and manage inventory. Most POS terminals contain a personal computer, which stores specific programs and I/O devices relevant to the company it will be used at. For example, a POS system for a restaurant would contain a database of every menu item which can be queried for information. POS terminals are used in most industries that have a “point of sale”, such as retail, restaurants, hotels and museums. POS terminals are also becoming Web-enabled, which makes it possible to manage global operations and inventory.

Point-of-sale Malware (POS Malware) is malicious software specifically designed to steal customer payment data – particularly credit card details – from business checkout systems. Criminals often sell the customer data rather than using it themselves.

There are two methods criminals can use to obtain a store’s customer credit card data:

  1. Break into the databases where the data is stored or capture the data at the point-of-sale (POS). This requires POS equipment, such as additional card readers, which can prove to be quite expensive. The additional reader would need to be physically attached to the store’s card reader. The second device reads and stores card data from the track two magnetic strip, when the card is swiped for payment (note: this data includes the primary card number and security code).
  1. Use POS Malware. This method is easier and less risky for the hacker, and data can be obtained without ever leaving home. POS Malware hunts through device memory for data in the track 2 credit card format. This data only stays unencrypted in memory for a short time, but memory scraping Malware is designed to gather data immediately after it is detected.

POS Malware attacks can shatter a company’s reputation and also be extremely costly. A popular retailer had to pay out over $10 million to victims when their POS systems were attacked, and this didn’t include the financial damage sustained to their brand image from widespread credit card fraud which occurred after the breach.

One recent incident of a POS Malware attack occurred in a division of Oracle called MICROS. They are ranked as one of the top three point-of-sale vendors globally with their systems being used in over 330,000 cash registers around the world. In early August 2016, MICROS experienced a security breach that impacted hundreds of systems. According to cyber-security expert Brian Krebs, “intruders inserted malicious code into the support portal for the POS software, which allowed them to steal customer usernames and passwords”.

Retailers are not the only industry at risk of POS attacks. A POS Malware, known as PunkeyPOS, affected POS terminals at hundreds of restaurants in early 2016. Security firm, PandaLabs, advised that cyber-criminals were using valid LogMeIn user credentials meant for computers running POS software and connected to POS terminals. Note: LogMeIn is a tool that allows remote devices to be managed. The companies that provide the POS systems to the restaurants are able to use LogMeIn to carry out updates and maintenance remotely.

In most cases, the PunkyPOS attackers did not have to use a zero-day vulnerability in LogMeIn, they just took advantage of weak passwords. During these attacks, another Malware variant, dubbed POSCardStealer, showed itself. Attackers downloaded an executable file using the LogMeIn access and then execute a script. At the fourteen-hour mark, they would instruct one of the compromised systems to download and install the Malware. This was just a recon mission; if it all worked out, thirty minutes later, the attack would automatically replicate itself and infect hundreds of machines in only 10 minutes.

Hotels are another industry that have been targeted. They are a gold mine for criminals, as they possess credit card details for millions of customers. The Hard Rock Hotel and Casino in Las Vegas had their security systems compromised over an eight-months period. During this time, attackers stole client names, credit and debit card numbers, and the CVV of the cards. These details were obtained when customers used the hotel’s restaurants, bars and shops, but interestingly, did not affect customers purchasing goods or services in the hotel or the casino.

Criminals are able to control their POS Malware remotely from outside the countries they attack, making tracking them down much more difficult. They sell the harvested card data via dedicated dump sites located all around the world. Buyers can purchase this data to use it for online fraud; create fake cards to then on-sell or pass the fake cards on to mules who commit in-person fraud at retailers or via ATMs.

Researchers at Cisco have warned about a new breed of point-of-sale Malware, named Poseidon, which is designed to steal credit card numbers as soon as a card is swiped through a POS terminal for payment. Craig Williams, security outreach manager for Cisco Talos, explains, “We see this Malware as a progression from past Malware targeting POS systems. It was professionally written to be quick and evasive, with new capabilities not seen in other POS Malware. Poseidon can communicate directly with command-and-control servers, self-update to execute new code and has self-protection mechanisms guarding against reverse engineering”. Note: reverse engineering is often used by security researchers to try to identify how the Malware works and build better defenses against it.

So, how are these POS attacks occurring? Trend Micro researchers noted that there are five main ways that POS attacks happen (although other forms of Malware can gain access to business networks through these paths, as well):

  • Phishing and social engineering: when hackers take advantage of unsuspecting computer users to worm their way into company networks via legitimate-looking emails or surprisingly convincing phone calls.
  • Employee on the inside: an employee who willingly serves as an ingress point for malicious activity.
  • Vulnerability exploitation: when Malware infiltrates a system that hasn’t been updated with the latest security patch.
  • Non-compliance with PCI DSS guidelines: failure to abide by the industry’s regulations concerning security, which evolved last year to include EMV chip usage.
  • More sophisticated targeted attacks: when hackers get on the network using advanced techniques.

The biggest issue though, is that many businesses are not changing the default password on their POS devices, or they are running them through a segmented network, making it easy to infect remotely. A previous POS audit of VeriFone POS devices showed that 90% of the VeriFone card readers that were tested had the default password. This password has been well documented since the 1990’s, so it is very easy for criminals to get Malware onto the devices and gain full control.


Tips for protection

Whilst FraudWatch International does not currently provide protection services against POS Malware attacks, there are plenty of tips we can provide to assist people and companies to stay protected and secure:

  • Testing: businesses should ensure that they run security audits on their POS devices before they’re rolled out. Vulnerabilities at the point of sale, along with the lack of testing, is a major cause of the ongoing POS attacks. Deep-dive testing is the key; businesses need to do their due diligence.
  • Monitoring: companies should think about using two-factor authentication for remotely accessing their POS systems, rather than solely relying on password logins. Using tools that can detect unusual activity on the point-of-sale terminals themselves is much more effective than simple anti-virus and firewall services. Every computer needs to be monitored to ensure that nothing changes. It will detect whether that computer starts transmitting data in the middle of the night, or whether files are being altered.
  • Encryption: no matter how clever the hackers get, even the most sophisticated POS Malware cannot do anything with the data if it is encrypted. End-to-end encryption, where customer data is encrypted all the way through the payment process (including when the credit card is swiped), will ensure that businesses are less vulnerable to any data breach.

Point-of-sale Malware attacks continue to cause serious issues for retailers, restaurants and hotels. If businesses invest in security solutions, they put themselves in the best position to keep bad code out of their networks.