First there was Dexter, Mozart, and BlackPOS, the infamous malware strain that compromised over 40 million credit and debit cards in the well-publicized Target breach. Now PoSeidon and GamaPoS have been identified as the latest point-of-sale (POS) malware, prompting security experts to warn retailers to step up their game to protect against an increasingly active threat landscape.
GamaPoS, memory-scraping malware distributed by the large botnet dubbed Andromeda, was recently discovered to have infected systems inside organizations from 13 U.S. states and Vancouver, Canada, according to antivirus vendor Trend Micro. PoSeidon, another so-called memory scraper strain, also is designed to steal payment credit card data from the memory of point-of-sale systems.
Both have caused renewed attention toward the now popular practice of targeting POS terminals that typically lack adequate security controls. According to a study conducted by security firm Trustwave, POS hacks were behind the majority of data breaches in North America even though this type of incident has dramatically declined overseas. The vulnerabilities come with a hefty price tag: The Ponemon Institute’s 2014 Cost of Cybercrime Study showed that the average cost of cyber crime for U.S. retail stores more than doubled from 2013 to $8.6 million per company in 2014.
While the headline-grabbing data breaches at Target, Home Depot, and other major merchants have prompted many organizations to redouble their security efforts, there is still serious work to be done, and retailers need to remain on high alert. Security experts have compiled a laundry list of recommendations for small and large retailers alike to reduce the risk of POS hacks, including:
- using multi-factor authentication
- segmenting networks
- limiting user privileges
- monitoring the addition of new users and excessive and abnormal LDAP (Lightweight Directory Access Protocol) queries
- securing and monitoring Active Directory functions
Yet even these steps won’t completely safeguard retailers from such attacks. “The point-of-sale computers you see in stores are just the tips of huge icebergs,” contends Slava Gomzin, author of the book, “Hacking Point of Sale,” and director of information security at PCCI, a non-profit focused on predictive analytics in the healthcare space. “Whatever is going on under water is not always under retailers’ control.”
Major retailers have upped their investments in PCI DSS technology and compliance in response to the escalation of attacks. However, Gomzin says retailers are still missing the boat when it comes to laying a security foundation that has legs for the future. “Investment in PCI DSS implementation and compliance is the biggest retail industry mistake,” he says. “Most card data breaches involve retailers who are ‘PCI compliant.'”
Instead of channeling enormous sums of money toward PCI standards initiatives, Gomzin recommends a couple of alternatives. First, he says companies should invest in point-to-point encryption (P2PE) solutions to protect the legacy magnetic cards that are so widely used in the United States – and so vulnerable to hacking. He also advises retailers to begin accepting EMV credit cards (equipped with computer chips and technology to authenticate transactions) and emerging mobile pay options such as Apple Pay or Bitcoin to depart from unsafe payment methods and to start reducing the attack surface.
“If those initiatives started 10 years ago … our wallets and bank accounts would be much safer today,” Gomzin says.Posted by Beth Stackpole Posted on 06 Aug