Search “malware” on Gooogle and it returns 102 million results; search “EMV” and you get 16.6 million. While EMV may have been on the tip of everyone’s tongues this year because of the October deadline, malware is really the gift that will keep on giving. And for good reason – according to Trustwave’s 2015 Global Security Report, 40% of the data breaches reported in 2014 were Point of Sale (POS) related, with the systems being targeted by an incredible 70 individual variants of malware. And we all know that “data breach” is now a household term, thanks to high-profile breaches at Target, Michael’s, Home Depot, PF Chang’s, Albertson’s and now Hyatt Hotels, to name just a few.
Stealing payment data from POS systems is so lucrative that an average of 12 new strains of malware are being created every minute. And there was a 64.8% increase in new malware strains for the first half of 2015 compared to the first six months of 2014. And malware isn’t a trend that will die anytime soon.
The Malware Plague
Malware is a “silent” thief. Hackers will find a way to enter the POS system – i.e., a weak password, stolen network credentials, etc. – and once in, they will install malware, or malicious software, on the system. The software is designed to locate payment card data in the system and, once located, to transmit that data to 3rd party servers where the information is then posted on hackers’ sites and resold for fraudulent use.
One of the largest issues is that malware, like any other computer virus, is highly adaptable and can be easily customized. Here are just a few examples of malware in 2015:
- In April the FBI issued an alert about a POS malware strain known as Punkey which was involved in a breach at a U.S. restaurant chain, according to The Washington Free Beacon. Punkey is a memory-scraping POS malware that can be used to compromise any Windows-based POS network. Experts says it’s tough to crack, because it encrypts the compromised data it exfiltrates.
- In June Trend Micro issued an alert about another new POS malware strain known as MalumPOS, which targets POS devices running on the Oracle MICROS platform that are commonly used by restaurants and the hospitality industry in the U.S.
- In November it was reported that ModPOS, a malware strain discovered in 2013 and based on modular architecture, had made a reappearance in recent data breaches.
And on December 23rd, it was announced that Hyatt Hotels is the latest company to have been hit by hackers, who managed to breach its network, access the payment processing system and insert malware that was programmed to collect payment information, including card numbers, expiration dates and verification codes. The breach affected the 318 properties managed by Hyatt and not franchise locations – and the strain of malware that targeted Hyatt has yet to be revealed publicly.
Anatomy of a Data Breach
Interestingly enough, a data breach itself may not cause any monetary harm to a company. If a hacker gets into the system and finds no valuable data to steal, then he/she may have broken in but they come out empty-handed.
The devastation occurs when a hacker breaks in and there is valuable data (payment information) in the system. The malware then does the job by locating that data and sending it to the hackers.
Take the Target breach.
- Sources close to the breach investigation said that hackers first broke into the retailer’s network on November 15th, 2013, using stolen network credentials.
- Between the 15th and the 28th (Thanksgiving and the day before Black Friday), the attackers succeeded in uploading their malware to a small number of cash registers within Target stores.
- By the end of the month — just two days later — the intruders had pushed their malware to a majority of Target’s point-of-sale devices, and were actively collecting card records from live customer transactions.
The Financial Consequences of Malware
Taking a few real-world examples, early reports showed that the total expenses incurred from Target’s data breach in 2013 and 2014 reached approximately $162 million. But on December 1st, it was reported that Target agreed to pay $39.4 million to resolve claims by banks and credit unions that said they lost money because of the 2013 data breach.
Early this year, the Home Depot reported an estimated $33 million in data breach costs. But on December 3rd, it was reported that the Home Depot had incurred $252 million of expenses related to the breach. With an offset of $100 million of insurance proceeds, the net expenses were $152 million.
As the 2015 Cost of Data Breach Study: Global Analysis reported, “While the cost of data breach stayed relatively constant for most industries, the retail sector experienced a significant increase, from $105 [per record] in 2014 to $165 in 2015.” Given the sheer volume of breaches — almost 236 million records are known to have been compromised since 2011 — that means losses in the billions.
Malware: What to Expect in 2016
1. Malware targeting new industries
As large retailers hone in on tightening their security around their POS systems, hackers will stalk the next easiest prey and go after smaller businesses that may not have the money or the resources to put a security plan in place to protect their business. The hacks on a small business may not be as lucrative at the big box retailers, but the targets are easier and far more numerous. Analysts are finding it difficult to assess the true impact of this shift because many smaller retailers aren’t reporting the number of compromised records in their disclosures.
Additionally, Bluefin Chief Innovation Officer, Ruston Miles, believes that we should expect to see industries that have not been affected completely blindsided by malware in 2016. Practice Management, Donor Management, and Charities are likely targets as criminal elements have had much success with similar organizations, such as the many university hacks reported this year.
2. Increased government involvement
Ruston observes that the increase in new strains of POS malware in 2015 has prompted the U.S. government to step in and create warnings as well as new laws to prompt awareness of malware and cybersecurity.
President Barak Obama included $14 billion for cyber security spending in his 2016 budget. In December, the Cybersecurity Information Sharing Act (CISA) was signed into US Law. CISA encourages private entities to share cybersecurity information with the federal government. And initiatives such as the US Computer Emergency Response Team (US CERT) have been in integral in keeping companies, businesses and consumers up to date on the latest cybersecurity and malware threats.
3. A major emphasis on devaluing payment data
The key to combating malware is to make all data worthless to hackers with encryption. Troy Leach, Chief Technology Officer of the PCI Security Standards Council, says emerging POS attacks demonstrate why encrypting payment data is necessary.
“Encrypting cardholder data at the earliest point of acceptance will help to minimize exposure in the remainder of the POS system, when perimeter controls and monitoring are not enough,” Leach says.
In September, Bluefin participated in the ETA / PCI SSC Technology of Payment Security Day in DC where three panels of experts discussed how the industry is utilizing a multi-layered approach to protect payment transactions by using technology that makes data useless to cybercriminals. Ruston along with Troy Leach; Bill Bolton, VP, Information Technology, HoneyBaked Ham; and Steve Robb, SVP of Products and Marketing, ControlScan, discussed point-to-point encryption (P2PE) as part of a multi-layered security approach to encrypt data and make payments more secure.
“We are starting to see retailers respond, with increased awareness, to the new, streamlined Point-to-Point Encryption (P2PE) standards by beginning to demand P2PE at a faster pace in RFP’s and sales discussions,” said Miles. “Retailers will demand standardization, listing and PCI-validation of P2PE Solutions, which is a huge battle won in overall war against malware.”
So what’s on tap for new innovations in 2016? In next week’s Part 3 of our series, we will discuss the payment and security trends for next year to combat hacking and fraud. Until then, happy 2015 as we close out this year.