Point-of-sale malware carries a hefty price tag for retailers

06August

Point-of-sale malware carries a hefty price tag for retailers

First there was Dexter, Mozart, and BlackPOS, the infamous malware strain that compromised over 40 million credit and debit cards in the well-publicized Target breach. Now PoSeidon and GamaPoS have been identified as the latest point-of-sale (POS) malware, prompting security experts to warn retailers to step up their game to protect against an increasingly active threat landscape.

GamaPoS, memory-scraping malware distributed by the large botnet dubbed Andromeda, was recently discovered to have infected systems inside organizations from 13 U.S. states and Vancouver, Canada, according to antivirus vendor Trend Micro. PoSeidon, another so-called memory scraper strain, also is designed to steal payment credit card data from the memory of point-of-sale systems.

Both have caused renewed attention toward the now popular practice of targeting POS terminals that typically lack adequate security controls. According to a study conducted by security firm Trustwave, POS hacks were behind the majority of data breaches in North America even though this type of incident has dramatically declined overseas. The vulnerabilities come with a hefty price tag: The Ponemon Institute’s 2014 Cost of Cybercrime Study  showed that the average cost of cyber crime for U.S. retail stores more than doubled from 2013 to $8.6 million per company in 2014.

While the headline-grabbing data breaches at Target, Home Depot, and other major merchants have prompted many organizations to redouble their security efforts, there is still serious work to be done, and retailers need to remain on high alert. Security experts have compiled a laundry list of recommendations for small and large retailers alike to reduce the risk of POS hacks, including:

  • using multi-factor authentication
  • segmenting networks
  • limiting user privileges
  • monitoring the addition of new users and excessive and abnormal LDAP (Lightweight Directory Access Protocol) queries
  • securing and monitoring Active Directory functions

Yet even these steps won’t completely safeguard retailers from such attacks. “The point-of-sale computers you see in stores are just the tips of huge icebergs,” contends Slava Gomzin, author of the book, “Hacking Point of Sale,” and director of information security at PCCI, a non-profit focused on predictive analytics in the healthcare space. “Whatever is going on under water is not always under retailers’ control.”

Major retailers have upped their investments in PCI DSS technology and compliance in response to the escalation of attacks. However, Gomzin says retailers are still missing the boat when it comes to laying a security foundation that has legs for the future. “Investment in PCI DSS implementation and compliance is the biggest retail industry mistake,” he says. “Most card data breaches involve retailers who are ‘PCI compliant.'”

Instead of channeling enormous sums of money toward PCI standards initiatives, Gomzin recommends a couple of alternatives. First, he says companies should invest in point-to-point encryption (P2PE) solutions to protect the legacy magnetic cards that are so widely used in the United States – and so vulnerable to hacking. He also advises retailers to begin accepting EMV credit cards (equipped with computer chips and technology to authenticate transactions) and emerging mobile pay options such as Apple Pay or Bitcoin to depart from unsafe payment methods and to start reducing the attack surface.

“If those initiatives started 10 years ago … our wallets and bank accounts would be much safer today,” Gomzin says.

Posted by Beth Stackpole  Posted on 06 Aug 
  • cyber security, cyber threats, IT security, malware, point-of-sale, POS, retail
    • DavidD

      “Investment in PCI DSS implementation and compliance is the biggest retail industry mistake,” he says. “Most card data breaches involve retailers who are ‘PCI compliant.’” – This is a disingenuous statement. No one in the field of security would argue that PCI compliance is anything more than baseline security. But we know that weak or nonexistent fundamental security controls are at the heart of most data breaches. The last sentence is incorrect. The annual Verizon, AT&T and Symantec breach studies have consistently shown for the last few years that a higher percentage of data breaches occur with entities who are required to but who are not compliant with the DSS.

    • DavidD

      Verizon provides QSA services to Level 1 merchants. In their 2015 PCI report they make the statement that none of their clients experienced a data breach after their QSA validated their compliance.

    • chris maxwell

      The only legit hacking group I know of is xearthworm@gmail.com I have been scammed so much within the last year It felt good to know not everyone is a scammer. The only con about them is they take a while, maybe because I had % hacks for them to do. But other than that, they always answered my emails and kept me intuned with the process

    • Albena Alekova

      The article makes some really good pointers and is a good place to start. Cybersecurity strategy is a combination of people, process, technology (ya ya I know… :)). There is no test or QSA that can prevent a breach. This is a game of do what works with how much you have.