Why Point-of-Sale Malware Isn’t Going Away – And What You Can Do About It

Many shoppers are now doing as much dipping of their credit and debit cards as they are swiping them.

This is thanks to the ongoing rollout of EMV, a global technical standard to which U.S. retailers began migrating about a year ago when liability for credit card fraud shifted from card issuers to the merchants themselves, unless their payment terminals are chip-enabled.

Unlike with traditional cards where data is exclusively encoded on magnetic stripes, EMV moves the sensitive data to an embedded microprocessor chip as well, which creates a unique transaction code for each purchase to perform authentication, verification and authorization. Instead of swiping their credit and debit cards, they dip - or insert - them into a terminal slot and await processing.

On the surface, this migration discourages purveyors of point-of-sale (POS) malware (as well as skimming software) from targeting chip-enabled terminals because it makes it harder for them to profit from what they steal. POS malware is designed to scrape and record credit card numbers and other data embedded on the magnetic stripe of cards - all information that can be used to create counterfeit cards. But it can't steal the chip.

So does that mean POS malware is retreating? Not yet. As the SpiderLabs team at Trustwave recently showed with its dissection of Carbanak - and considering the many other malware families that are still prominent - cybercriminals still think of POS malware as a viable and highly effective method to steal data that can be easily and quickly monetized. 

>> Download this free white paper on combating point-of-sale malware

Why is that the case? For starters, deployment of EMV (which is sometimes called chip-and-PIN or chip-and-signature) in the United States is proving lengthy, especially for small and midsize retailers, so criminals still have ample time to create cloned cards and cash in at certain brick-and-mortar locations. EMV also isn't universal - nor may it ever be - so there will remain opportunities in other regions of the world as well, at least for the foreseeable future.

In addition, fraud will continue to migrate online, where purchases can be made without the need of a physical card. The U.K. saw online, or card-not-present, fraud soar dramatically after the introduction of EMV because no chip is required during purchase. And experts said a similar fate awaits the United States, where online fraud is predicted to more than double between 2015 and 2018.

Bottom line, merchants must continue to protect themselves against point-of-sale attacks, and EMV isn't going to entirely eradicate the threat. In addition to migrating to EMV-compatible terminals, follow these six recommendations to help you outsmart the burglars.

1) Test Your Terminals

You must evaluate POS systems for tampering and remotely exploitable vulnerabilities - such as weak passwords, network segmentation and out-of-date operating systems - that can be leveraged for malware infiltration. One way to remedy this is through deep-dive penetration tests. If you don't have the skills to do this in-house, you can partner with a third-party expert.

2) Disable Remote Access and Employ Strong Passwords

A common way attackers hijack POS systems is with remote scanning and access tools, followed by the exploitation of easy-to-crack passwords. To combat this, you should limit or ban remote access, as well as strengthen passwords. Ideally use passphrases, since they are lengthier, but often easier to remember (i.e. MyD0gLikesPizza). Consider also deploying two-factor authentication to add an extra layer of security in case passwords are compromised.

3) Vet Your POS Providers

To get the most bang for their buck, intruders will often seek to compromise POS manufacturers or integrators to infect as many merchant locations as possible in a short period of time. You must continuously assess vendor risk and ensure these third-party providers have adopted and maintained the same security best practices as you have. This includes educating employees not to click on malicious links or attachments.

4) Rely on Preventive Technologies

Solutions such as web security gateways, data loss prevention, firewalls, intrusion prevention systems and endpoint protection can help identify attacks and close off ingress and egress points that can be misused. These technologies help allow you to identify malware in real time, scan outgoing web traffic, block attacks, restrict access and ensure only explicitly permitted ports and services are communicating with your network.

5) Monitor for Abnormalities

Monitoring for and reviewing strange logins, file changes and network traffic can help you flag malware early. Again, if you don't have the staff and skillsets necessary to observe your firewall and router logs, you can work with a security partner.

6) Protect the Data Itself

Attackers won't have any credit card data to steal if you can instantly make the information unreadable upon collection. Technologies like end-to-end encryption and tokenization make it difficult for attackers to use memory scrapers - a popular type of POS malware - to steal data being processed inside payment terminals and sent over the network.

Dan Kaplan is manager of online content at Trustwave and a former IT security reporter and editor.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.