By remotely stealing customer card data from point-of-sale (PoS) devices, thieves have all the information they need to clone credit or debit cards, which can then be sold on the black market or used to buy expensive merchandise for resale.
While the knowledge that smart, well-motivated cybercriminals have set their sights on your financial data is bad enough, worse is the news that modern PoS attacks, such as “PoSeidon”, are now moving away from targeting major companies in favour of small and medium-sized firms like restaurants, bars and hotels.
With the enormous potential for card fraud to erode profits, brand reputation and customer loyalty, it’s time for businesses to ask if their stores and customers are at risk and what can be done to defend them.
When a cashier swipes a customer card, the PoS system reads the magnetic stripe and forwards the account data to your bank for authorisation. For cybercriminals, the goal is to infect PoS devices with malware that can steal this lucrative data.
Any businesses that think their PoS devices are safe should think again. Cybercriminals are resourceful and inventive; they can compromise PoS devices even when they aren’t directly connected to the Internet, or are kept physically secure.
Some of the common methods to watch out for include remote compromise, in which the attacker connects to the PoS device through a remote access protocol or a backend system, and local access, where attackers attackers take advantage of PoS devices in public locations via exposed interfaces, such as network and USB ports.
It’s often said that your IT is only as secure as they people using it and this holds true for PoS attacks, so insiders with physical access to PoS devices can also easily load malware onto terminals.
Phishing campaigns are another once to watch for, as all it takes is one click in a malware-planted email for a PoS system to be attacked. And similar to phishing attacks is drive-by exploitation, which targets a workstation that has access to the PoS system, but instead of embedding the malware in an email, the victim is directed to a website hosting it.
Preventing the infection of PoS devices may be hard, but spotting an existing problem can be even more difficult. From surviving a reboot by copying itself to workstations, to using rootkits that leave almost no trace of its existence, PoS malware is extremely slippery.
The recently discovered PoSeidon family can even update itself directly from remote servers. Meanwhile, most PoS malware also encrypts card data, so it can be exfiltrated to remote servers without being detected or blocked by security systems.
The bottom-line is that today’s increasingly sophisticated PoS attacks mean that just because you can’t see a problem, it doesn’t mean there isn’t one.
The good news is that while there are subtly different families of PoS malware, they all follow the same well-defined attack path – meaning most countermeasures and detection strategies will be effective against all of them. With that in mind, here are our top ten steps to defend your business:
1. Shield the systems
Wherever possible, isolate your PoS infrastructure from direct Internet access.
2. Secure hardware appliances from physical tempering
For example, secure exposed USB ports on all PoS hardware reachable by customers.
3. Cover all devices
Run an up-to-date antivirus solution on all PoS systems, including mobile devices.
4. Never miss an update
Keep your entire software environment up-to-date.
5. Don’t overlook the settings
Reset PoS devices to the manufacturer’s default settings.
6. Tight passwords
Make sure all of your PoS accounts and backend systems have updated, secure passwords.
7. Add network protection to detect and block any suspicious traffic entering or leaving PoS devices
Look for an unexpected host, an unexpected port, or an unexpected country like Russia or China.
8. Be alert to fixed-timeout CPU load spikes
PoS memory scraping causes high load processes and will trigger CPU spikes at regular intervals.
9. Regularly check your remote connection logs, firewall logs, or Windows security event logs
It is vital to regularly check these for successful or unsuccessful logins from foreign IP addresses – especially during off-peak hours. If there’s no legitimate business reason for remote access from such IP addresses, consider the activity to be an attack.
10. Review all your running processes for potential malware
Look for slightly misspelled names running from a legitimate directory, as well as legitimate names running from a non-standard directory.
As long as payment card data remains so lucrative, retailers shouldn’t expect any slowdown in the number of PoS data breaches. In fact, the number of cyber attacks involving malware designed to steal financial data has jumped by more than 25% in recent years.
As attacks become more sophisticated and increasingly target smaller retailers to hamper financial institutions trying to track down card fraud, the time to act is now.
Proactively enforcing industry best practices, getting the security basics right and remaining vigilant are by far the best ways to make sure a business doesn’t end up counting the cost of a PoS attack.
Sourced from Pete Shoard, chief architect, SecureData