POS System Security Too Weak
Eric Merritt, a security researcher at forensics investigation firm Trustwave, says these recent developments demonstrate how POS malware is evolving, and why more attention has to be paid to POS security.
“The concerning thing to me really is the security state of POS systems that allows these types of attacks to occur,” Merritt says. “This is why penetration testing is so important. I’m less concerned about what terminals the malware is targeting, and more concerned about how the malware is getting in.”
If POS devices and systems were more secure, many of these emerging malware strains would be much less effective, he contends.
They say nothing is certain but death and taxes – but we’re pretty confident that we can now add data breach to that moniker. Breaches are a lucrative gig. Why not install malware in POS systems and watch the credit card numbers roll in? Much easier than robbing a bank.
So how lucrative is it? The 2015 Trustwave Global Security Report reveals some pretty clear answers. Researchers used primary factors that are widely available for sale in underground web forums and calculated market estimates to tally the damage and produce an estimated ROI that the hackers could expect to take home over a month’s time.
The results revealed that attackers using malware to infect the POS could expect to earn a shocking 1,425% return on investment (ROI) – $84,000 in revenue – in just 30 days.
With such a high return, it shouldn’t surprise anyone that new POS malware threats are continually appearing.
- In April the FBI issued an alert about a POS malware strain known as Punkey which was involved in a breach at a U.S. restaurant chain, according to The Washington Free Beacon. Punkey is a memory-scraping POS malware that can be used to compromise any Windows-based POS network. Experts says it’s tough to crack, because it encrypts the compromised data it exfiltrates.
- In June Trend Micro issued an alert about another new POS malware strain known as MalumPOS, which targets POS devices running on the Oracle MICROS platform that are commonly used by restaurants and the hospitality industry in the U.S.
- And not to be outdone is the still unnamed vector of the recent government breach where hackers got away with 21.5 million Social Security numbers.
Trustwave’s report, as well as emerging malware threats, demonstrate that cyber thieves will continue their attempts to capture the highest revenue possible. This does not mean just cashing out once they have attacked, but being cost efficient from the very beginning – making malware, which works silently and quickly on the network – a perfect avenue to capture clear-text data, payment or otherwise. And malware will only continue to evolve and adapt, just like a virus. It won’t ever go away.
The key is to make all data worthless to hackers with encryption. Troy Leach, Chief Technology Officer of the PCI Security Standards Council, says emerging POS attacks demonstrate why layered payment security is a necessity.
“Encrypting cardholder data at the earliest point of acceptance will help to minimize exposure in the remainder of the POS system, when perimeter controls and monitoring are not enough,” Leach says.
In March 2014, Bluefin became the first company in North America to provide PCI SSC validated Point-to-Point Encryption (P2PE) solutions and last week we welcomed PCI SSC’s updated P2PE standard, which builds on the earlier version to simplify the development and merchant adoption of PCI validated P2PE Solutions.
P2PE devalues consumer card data through encryption, making it unreadable to POS malware. Check out Bluefin’s P2PE page on why PCI P2PE matters and learn more on how to secure cardholder data and protect your brand now.