Following the news that a smash and grab malware gang has updated its FastPoS point of sales hack app to plunder credit cards more efficiently ahead of the festive season. IT security experts commented below.
Smrithi Konanur, Global Product Manager, Payments, Web And Mobile at HPE Security-Data Security:
“Retail malware is typically designed to steal clear data in memory from Point of Sale (POS) applications, resulting in the loss of magstripe data, EMV card data or other sensitive data exposed at the point of sale. And unfortunately, POS systems are often the weak link in the chain — they should be considered insecure even after implementing EMV. A POS terminal in constant use is usually less frequently patched and updated, and is thus vulnerable to all manner of malware compromising the system to gain access to cardholder data.
Any businesses using POS systems can avoid the impact of these types of advanced attacks. Payment strategies like Point-to-Point Encryption are the best data-centric solutions to prevent such security breaches that target data in transit. Point-to-Point Encryption solutions that are implemented using proven methods, such as Format-Preserving Encryption are available to neutralize data from breaches either at the card reader, at the point of sale, in person or online. Leading retailers and payment processors have adopted these data-centric security techniques with huge positive benefits: reduced exposure of live data from the reach of advanced malware during an attack, and reduced impact of increasingly aggressive PCI DSS 3.2 compliance enforcement laws, laws aimed at making data security a ‘business as usual’ matter for any organisation handling card payment data.
The good news is that savvy merchants are implementing Format-Preserving Encryption, giving the malware nothing to steal, which also has a dramatic cost reducing benefit to PCI compliance. Encrypting the data in the card reading terminal ahead of the POS eliminates the exposure of live information in vulnerable POS systems. The attackers get only useless encrypted data.”
Stephen Gates, Chief Research Intelligence Analyst at NSFOCUS:
“Just like any other software, malware can be updated to allow it to perform better, make it stealthier, and increase infection rates. Remember, hackers are just as smart as anyone else. When they feel something needs improved, they’re quite capable of performing that operation. That’s why there are so many variants of malware.
Retailers must be forced to keep their POS terminals updated and protected. Requirements like PCI-DSS have improved card holder data security, but it has not solved the problem when retailers are negligent by using older or unprotected terminals. Many call for governments to better regulate the industry. However, this is a global problem that spans every country. There is no single authority to institute regulation.
Today, nearly all POS devices have IP addresses and are connected to networks just like any other device. The best method of detecting questionable activity is to monitor the data that is “leaving” a POS terminal. If organizations do not monitor each and every POS device, they are helping to contribute to the problem. Detecting the command and control, as well as the data exfiltration path will reduce the time from measure to counter-measure.
Today, everyone that uses a POS terminal for purchases is at risk. Users must continuously monitor their accounts for any suspicious activity. For example, the plastic credit/debit card technology widely in use today was developed more than a half century ago. Customers must begin to demand something better. At the end of the day, consumers eventually pay for the fraud and theft through increased fees, interest rates, and the like. “
Jamie Moles, Security Consultant at Lastline:
“Point-of-sale malware and its promotion during or just before holiday seasons pose a particular problem for the retail industry as this is traditionally the busiest time of year when shops and online businesses make most of their revenue. One particular aspect of Operations Support for retailers that can contribute to the risk of this time of year is what’s known as the ‘change freeze’ window. A change freeze is a period of time during which changes/updates/upgrades on business critical IT system are forbidden in case a bad change causes an outage that prevents the company taking or completing orders – something that would be a disaster when you have customers demanding you take their money!
Hackers and Malware authors are aware of this and will likely hold back releasing their latest code until mid-November by which time most change windows are fully active and system updates cannot be implemented easily to cope with the new malware strains.
Most appliance based solutions require you to take the system offline to update – something that requires planning, scheduling and a full back-out plan if it fails – which is of course forbidden during change freezes. It’s much better for retail organisations to select a Breach Detection solution that updates automatically over the wire without any need for device reboots or downtime.
For consumers the usual advice applies – protect your payment data by not exposing your pin when using your cards and avoid retailers who have been shown to have scant regard for your security, because once your payment data is in their systems you are effectively reliant on them to protect your bank account.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.