Fast POS Smash & Grab Malware

Researchers have reported on smash and grab malware has been updated as a “FastPoS” point of sales hack app designed to steal credit card information more efficiently ahead of the holiday shopping, travel and entertainment season. Smrithi Konanur, global product manager, payments, web and mobile for HPE Security-Data Security commented below how retailers and all businesses can avoid a serious customer data breach.

Smrithi Konanur, Global Product Manager, Payments, Web and Mobile at HPE Security-Data Security:

“Retail malware is typically designed to steal clear data in memory from Point of Sale (POS) applications, resulting in the loss of magstripe data, EMV card data or other sensitive data exposed at the point of sale. And unfortunately, POS systems are often the weak link in the chain — they should be considered insecure even after implementing EMV. A POS terminal in constant use is usually less frequently patched and updated, and is thus vulnerable to all manner of malware compromising the system to gain access to cardholder data.

Any businesses using POS systems can avoid the impact of these types of advanced attacks. Payment strategies like Point-to-Point Encryption are the best data-centric solutions to prevent such security breaches that target data in transit. Point-to-Point Encryption solutions that are implemented using proven methods, such as Format-Preserving Encryption are available to neutralize data from breaches either at the card reader, at the point of sale, in person or online. Leading retailers and payment processors have adopted these data-centric security techniques with huge positive benefits: reduced exposure of live data from the reach of advanced malware during an attack, and reduced impact of increasingly aggressive PCI DSS 3.2 compliance enforcement laws, laws aimed at making data security a ‘business as usual’ matter for any organization handling card payment data.

The good news is that savvy merchants are implementing Format-Preserving Encryption, giving the malware nothing to steal, which also has a dramatic cost reducing benefit to PCI compliance. Encrypting the data in the card reading terminal ahead of the POS eliminates the exposure of live information in vulnerable POS systems. The attackers get only useless encrypted data.”