How Point of Sale Breaches Happen

How Point of Sale Breaches Happen

In recent weeks, the security news has been dominated by announcements of data breaches resulting from Point of Sale (PoS) malware present on payment processing terminals. All 350 North American Eddie Bauer retail locations and 20 properties managed by HEI Hotels were affected while 3.7 million customer payment cards were compromised at cafes available at Banner Health facilities. Understanding how PoS malware campaigns work and the specific information targeted by attackers educates consumers about the danger that might be lurking on card readers at their local retailer. Increased awareness and adoption of secure payment solutions will increase overall security and reduce the costs and headaches attendant to fraud.

Payment card information has always been a tempting target for cyber criminals. Depending on the specific type of card data obtained, attackers can use the cards to make purchases online, clone the cards for use at physical retail locations, or sell the information in “carder” forums. CVV2 data includes a card number, expiration date and the three digit security code required for internet shopping. Track 2 data is more complete and contains the information stored in the card’s magnetic stripe allowing attackers to create a replica. So called “fullz” refer to a combination of the above card information and personal identifiers such as the name, DOB or Social Security number of the card owner. CVV2 data fetches a few cents per record on carder forums while the price for fullz can range from $70-$130 depending on where the card was issued.

Point of Sale malware campaigns are one of the most prevalent methods of obtaining consumer payment card information. Bitsight researchers examined a sample of 375 breaches from 2015-2016 where payment cards were compromised and found that 28.5% of cases resulted from PoS malware, second only to web application compromise at 40%. Payment card skimmers and employee privilege abuse virtually tied for a distant 3rd place at under 10%.

pos_breach_analysis.png

So how does a Point of Sale malware campaign work? An attacker either develops or acquires specific malware that targets card information being stored in an unencrypted format on a PoS terminal (many of which run windows). They then load the malware onto payment processing devices by exploiting weak security measures such as default passwords on machines or vulnerabilities in a company’s corporate network. The malware then collects payment card information as transactions occur, before transmitting it in bulk back to the attacker. For a more detailed report on PoS attack vectors, check out this Symantec white paper.

Perhaps the most frustrating (and potentially unsurprising) news for consumers will be that solutions for this type of attack have existed for quite some time. EMV (Europay, Mastercard and Visa) chip enabled cards have been in use since the 90’s in Europe and are being slowly adopted by the US. Although not a panacea, EMV cards generate one-time transaction codes and can be used in conjunction with a customer pin number or signature to significantly increase security. Some in the industry say that EMV is not secure enough and believe that the payment cards should be phased out entirely in favor of mobile payment methods such as Apple Pay. Payment processing solutions with end-to-end encryption offer another potential boon for retailers who wish to avoid seeing their company’s name and logo included in the latest PoS data breach headline.

Do You Rely on PoS Providers?

Many businesses now rely on Point of Sale providers to capture payment information. Today, nearly all restaurants, hotels, retailers, and other businesses have outsourced this technology as they provide a relatively seamless experience for their customers. With PoS malware evolving rapidly, these providers are always at high risk of being compromised. Accordingly, many businesses must now prioritize their PoS provider as a critical third party.

With all critical third parties, point-in-time assessments (such as audits, questionnaires, penetration tests, and more) only provide a snapshot in time of true security posture. Businesses that rely on PoS providers should move towards continuously monitoring their performance in order to mitigate any risk flowing up to their own organization.