Point-of-sale malware (POS malware) is malicious software explicitly written to steal customer payment data, such as credit card data from retail payment systems. Criminals use malicious POS software to sell data instead of directly using it.
There are two ways a store can target customer credit card data. The attacker could infiltrate databases where the data is stored or interfere with the data at the point of sale (POS). While physical methods can be used to steal data both ways, these methods require access to point-of-sale equipment and often have expensive hardware.
One of the methods is to use an additional reader attached to the store’s card reader. The second device reads and stores track 2 card data for fast payment. Track 2 magnetic stripe data includes the primary card number and security code and other information such as what types of charges are allowed.
Without setting foot on the premises, POS malware is a much easier and less dangerous way to obtain this information. A type of memory scraper known as POS malware searches for data in the correct format for track 2 credit card data. These data are available in memory only for a short time in unencrypted form.
However, memory scraping is designed to collect data instantly when malware detects it. Credit card information is then sent to the attacker’s remote computers and then sold on underground sites.
What is POS Malware?
POS malware is intended to steal payment card data from point-of-sale (POS) terminals and systems. It is widely used by cybercriminals who want to resell stolen customer data from retail stores.
Payment card data is encrypted end-to-end and decrypted only in the device’s random access memory (RAM) during the payment process. A POS malware attack infiltrates POS terminals via compromised or poorly secured systems, searching the RAM for payment card data, which is then sent to the attacker unencrypted.
How Does POS Malware Work?
Attacks against POS systems are usually multi-stage. To attack the victim’s computer network, the attacker must first gain access to it. Usually, they do not get direct access to the CDE but to an associated network. They then have to go over the network and eventually gain access to POS systems.
Then they need to install malware to steal data from compromised systems. Because the POS system is unlikely to have external network access, the stolen data is then usually sent to an internal provisioning server and ultimately removed from the retailer’s network to the attacker.
IT professionals often refer to POS malware as a process scanner because it scans active transactions on devices and collects everything that could be useful usually credit card data.
POS Malware searches for data that matches the encoded Fragment 1 or Fragment 2 format on a credit card’s magnetic stripe. This data includes optional data, including the cardholder’s name, primary card number, permitted payment types, and PINs.
Unencrypted data can only be used for a short time when it enters the database on the device. POS malware is designed to retrieve data before it is encrypted instantly. Once the malware gets the data, it sends it to another server where the cybercriminal can sort the data and find the credit card numbers. With payment card data, cybercriminals can sell information on the black web or make fraudulent purchases with the card information they obtain.
What are the Types of POS Malware?
- BlackPOS is designed for Windows-based computers that are part of a POS system. There is no offline data extraction feature in BlackPOS, and stolen data is uploaded online to remote servers. This gives hackers more flexibility. BlackPOS was used in the massive Target POS breach in 2013.
- Dexter is another Windows-based POS Malware with a few active variables. Like BlackPOS, it parses memory dumps of transactions related to specific POS software that searches for Track 1 and Track 2 data. Track 1 data, cardholder name, and account numbers; Track 2 is the credit card number and expiration date.
- TreasureHunt was created exclusively by a particular group of hackers who sold stolen credit card data. The TreasureHunt malware uses stolen or weak credentials to install itself on the device and targets retailers who still use legacy scrolling systems. TreasureHunt retrieves the credit card data from the device’s memory and sends them to the command and control server.
- ChewBacca Trojan has simple key logging and memory scraping to search for regular card magnetic stripe data expressions. If a card number is found, it is removed by the server and logged.
- Backoff POS malware has capabilities such as scraping memory for fragment data, logging keystrokes, command, control (C2) communication and injecting malware into explorer.exe. The malware injected into Explorer.exe is responsible for persistence if the malicious executable crashes or is forcibly stopped. The malware is responsible for taking memory from processes running on the victim machine and searching for tracking data.
- Kaptoxa is designed to reside in POS terminals and to monitor information processed by payment application programs. In most cases, payment card data is stored unencrypted for a short time in RAM during the payment authorization process. This is the point at which Kaptoxa can access and copy payment card data, including credit and debit card numbers, personal identification numbers (PINs), expiration dates, e-mail addresses, consumer addresses, and phone numbers. Once the data is copied, it affects POS terminals for some time until it is collected in a central location. The Kaptoxa malware then sends information over TCP to an internal host in the compromised network over a quick NetBIOS share every seven hours. The attacker uses a series of remote FTP transfers to retrieve data stolen from this host.
- NitlovePOS collects track one and two payment card data by scanning the running processes of a compromised machine. It then uses SSL to send the stolen data to a web server. NitlovePOS malware also uses spam e-mails with malicious attachments to trick users into downloading malware. When the malware gets into the device, it doesn’t appear immediately, as it copies itself to disk and reboots when someone tries to delete it.
- PoSeidon installs a keylogger on the compromised device and scans the device’s memory for credit card numbers. Keystrokes, which can include passwords and credit card numbers, are then encoded and sent to another server. Poseidon malware can still run in memory if the user logs off and can remain hidden using clouding techniques.
- MalumPOS masks itself as a display driver on the infected device. It then tracks transactions and strives the infected device’s memory for payment information. MalumPOS malware usually targets systems running on Oracle MICROS and accessed via Internet Explorer.
How Can You Protect Against POS Malware?
There are a few things retail managers and security professionals can do to protect POS systems from hackers:
- Update your systems. Outdated, unsupported operating systems are a significant risk as they provide more unpatched vulnerabilities to malware authors. Windows XP-based systems used in many retail environments are vulnerable as they lack some of the more advanced security features of newer versions. In terms of security, POS systems should only use up-to-date and well-supported operating systems.
- Use whitelist technology. Whitelisting can protect against unauthorized applications running on POS systems. Whitelisting allows only pre-approved apps to run on a system.
- Isolate your POS system. Isolating POS systems on a network reduce the potential attack surface and make it easier to detect suspicious activity. Keeping data segmented allows it to be stored in different locations.
- Use code signing. Code signing is a cryptographic value signed in a specific binary executable file as a tamper-verifiable control. Code signing ensures that each program is checked before running to prevent tampering with the system.
- Use chip readers. The EMV technology used by the chip cards allows customers to avoid shifting. Magnetic stripes contain unchanging data, but chips in EMV cards generate a unique transaction code each time. The EMV chip makes it difficult to copy payment card data.
- Restrict physical access. Physical access and user privileges to point-of-sale systems must also be tightly managed. For example, if an employee uses a POS terminal to browse the internet, it can expose the system to security risks. Ideally, the administrator account should be tightly protected and the activities of other users strictly limited.
Best Practices to Secure Your POS System
There are many ways a POS can prevent data breaches or accidental misuse of data. If your point of sale is used to collect customer data such as contact information or payment information, your business will be held liable in the event of a data breach.
Follow these best practices to learn how you can secure your POS system and prevent a POS attack.
- Install antivirus software. This is arguably the most basic way to defend yourself against an attack. Antivirus software is a program that you can download to your system to scan for viruses or malicious files continuously.
- Use encryption. In cases where attackers install payment-stealing malware on the POS system, it will not be possible to access the data in case of encryption. Encryption hides data while shared across networks and stored on the POS device, making it extremely difficult to hack.
- Watch with POS terminals video surveillance. Cybercriminals can steal card data by connecting skimmers to POS systems. These devices capture payment information each time a card is swiped. Consider installing surveillance cameras above all POS terminals to prevent wandering through your POS terminals.
- Ensure the security of your network. Some thieves don’t even need to break into the store to steal payment information. Data theft can all be done over an Internet connection. To prevent POS intrusion, secure all networks with a strong password and consider establishing a segmented connection for even more protection.
- Implement a POS monitoring service. According to the specified exceptions, this service identifies cashier breaches as they occur by sending video clips and POS data.
- Keep all POS software up to date. Like any software, constantly update programs and devices. With outdated software, hackers can identify vulnerabilities and gain access to your system.
- Test your system regularly. Always run security tests and checks to evaluate the strength of your POS system. Security tests will help you identify and fix any weaknesses.
- Use complex passwords and enable two-factor authentication. Increase the security of your environment by adding a second layer of security and confirming your identity each time you log in. Every six months, passwords should be updated, and they should include capital letters, numbers, and symbols.
- Physically secure your POS device. POS terminals must be securely fixed and locked to prevent thieves from entering and stealing devices. For extra security, set up monitored alarms to get instant notifications in the event of a break-in.
- Teach employees how to detect suspicious activities. Your employees can be highly effective in POS security. Train them to detect unusual activities and apply cybersecurity best practices. Additionally, make sure every employee understands internal cybersecurity controls and understands how to report a POS attack to minimize damage.
What are the PCI DSS POS Security Requirements?
PCI requirement 9 requires securing POS devices. Compliance with PCI DSS requirement 9.9 only applies to organizations that accept card transactions based on face-to-face interactions between cashiers and customers. The most common devices that allow such transactions are PoS (Point of Sale) and PED (PIN Entry Device) devices.
Whether your card reading devices or terminals are stand-alone dial terminals or connected to a network, they fall into this category as they involve physical interaction with payment cards and cardholders.
Only by securing devices and terminals can criminals avoid tampering with, stealing, or replacing them, inspecting components, or adding additional devices to collect cardholder data while the transaction is in progress.
PCI DSS requirement 9.9 focuses on three main issues, each of which describes how to perform a specific task sequence:
- Keeping a list of devices;
- Periodic inspection of devices for tampering or substitution;
- Employees are being trained to recognize suspicious behavior and to report tampering or device modification.
Maintain an inventory list of POS devices
Monitoring the physical security of card reader devices and terminals begins with a series of essential details that organizations should follow from when the device is unpacked and used. Creating a device list is the way to start controlling each device. The points to follow are as follows:
- Make information
- Model information
- Device location
- Device serial number
- Unique identification method
Keeping the POS device list up to date is something organizations must do to comply with the PCI DSS requirement. Most companies do this task using a spreadsheet and manual work. But with an increasing number of POS terminals, it becomes more complicated to keep them under control, mainly if used in different locations.
Periodically inspect POS devices.
Periodic inspection of devices detects tampering, revision, or modification of card reading devices and terminals. The main asset required to complete this requirement is to establish procedures for how devices will be inspected.
These procedures must be documented, and personnel must learn how to implement them to determine if any devices have been tampered with or altered.
Taking pictures is a great way to compare a device’s current look with its original look to see if it has changed. A safe UV light marker pen is an excellent way to mark instrument surfaces and instrument openings, so any tampering or alteration will be visible. Indeed, tampering techniques involve, for example, replacing the outer casing of a terminal.
When POS devices are left unattended, card readers’ risk of being tampered with, reviewed and replaced increases. In such cases, they must be inspected more frequently than devices under constant control or in direct contact with field personnel. Instruction on the type and frequency of inspections depends on the particular organization and should be included in the documentation created to explain inspection procedures.
Organize training for onsite personnel
All staff should be trained in following established procedures for reviewing payment card readers. Criminals can gain physical access to an organization that appears to be authorized maintenance personnel. To do this, they use a series of tricks, such as camouflage and fake acting, or they send them to a specific address with instructions on how to install and use new devices. Their purpose is to communicate with card reading devices or to use their own devices.
- Not allow software installation without a third party verifying the identity of personnel.
- Refuse to accept replacement or return of devices without confirming the identity of third-party personnel.
- Suspicious behavior around devices should be paid attention to, and suspicious behavior should be reported to authorized persons to prevent tampering and modification.
The most common problems encountered with PCI DSS POS device security requirements are planning and the amount of work. Organizations can forget to regularly review card reading devices and terminals and benefit from reminders and notifications.
The devices to be protected and monitored can be numerous and dispersed over a wide area. Monitoring activities will be more accessible if the organization has a central database and a dashboard to monitor every location and terminal in use.