Point of Sale Malware Prevention for Physical and E-Commerce Retailers
The 2016 holiday season experienced a surge in POS malware attacks despite a number of preventative measures put in place in 2016, including the EMV chip standard, enacted in late 2015. This standard, which creates a ‘stick’ scenario for businesses that accept card-present credit card transactions, requires that businesses transition to EMV compliant machines or else the liability for fraudulent transactions lies with the business itself and not the credit card issuer.
This creates a strong financial incentive for many businesses to convert to such a system but there are several holes in the requirement that still leave POS endpoints an enticing entry point for placing malware:
- EMV Compliance is not a requirement for businesses. This means that there are still many businesses out there who have not or will not convert to EMV Compliance. According to Software Advice, only 22% of small business retailers were prepared to do so by the deadline. That means using the magnetic stripe on your credit card at these establishments exposes you to a higher risk of credit fraud.
- EMV Compliance is expensive. Businesses must purchase the new readers and they can be costly. Be especially wary of using credit cards at merchants who deal in small transaction sizes and do not deem the ROI on EMV to be worth it.
- EMV Compliance is only for ‘card-present’ transactions. This means that online or no card present transactions are still processed through the traditional vulnerable channels. Typically, these channels are hacked relentlessly after EMV compliance is enacted; in 2005 the UK experienced a surge in online fraud and in the U.S. we expect the same, as online fraud is predicted to more than double between 2015 and 2018 according to Aite Group.
- You may not have an EMV Compliant card. According to ACI Worldwide, 59% of consumers did not have an EMV compliant card at the end of 2015. Without an EMV compliant card, an individual is still vulnerable to the exploits of magnetic stripe processing.
- Gas stations have a two-year extension on EMV Compliance. Gas stations are a common point of attack for placing skimmers which capture credit card data when it is inserted in the slot.
For our retail clients accepting ‘card-present’ transactions, we recommend migrating to EMV compliant terminals immediately. Even for smaller retailers, we believe the potential cost to brand, reputation and operations far exceeds the cost of implementing an EMV compliant POS system. Our other recommendations include:
- Deploy a next generation endpoint protection agent that is capable of detecting malware on POS terminals. Common endpoint protection technologies are not able to determine context or intent of malicious executables. This can allow attackers to use an infected endpoint as a pivot to install malware such as BlackPOS on a settlement server to mine credit card data. There are few endpoint solutions on the market that can actually do this; perform due diligence and engage an expert advisor to make the right selection.
- Focus on terminal protection. By taking a few simple steps such as ensuring POS system passwords are not default passwords, are strong and implement two factor authentication, patching terminals with the latest updates and OS versions, disabling remote access and enacting network segmentation to create a barrier between the cardholder data environment (CDE) and the corporate network, you can harden the security of your organization’s terminals and minimize the possibility of a breach.
- Interrogate your POS providers. The POS system your organization uses is the first point of strength or vulnerability against hacking. Many cybercriminals will compromise the source code of POS system manufacturers or integrators in order to effectively scale their credit card fraud operation without having to compromise each retailer individually. Validating the security practices at your POS provider and questioning them about any potential security breaches during development is key in protecting your organization from becoming a headline.
- Maintain strong network security practices and monitor your log files. Leverage the tools out there to create a strong perimeter around your network including firewalls, intrusion detection systems/intrusion prevention systems, user behavior analytics and secure web gateways for your user population. In addition, monitoring log files is crucial to check for abnormal connections or log-in attempts. A security incident and event management (SIEM) tool is a great way to monitor and correlate your log files. A managed security services provider (MSSP) can take care of all of these functions for you if you lack the expertise or time to perform in-house.
- Protect data in transit. There are many technologies out there that encrypt data in transit such as tokenization or end to end encryption. This makes it harder for attackers to mine credit card data from memory as it will be unrecognizable.
For our retail clients additionally engaged in e-commerce transactions, be aware that EMV compliance makes your operations an especially ripe target. In addition to the general precautions above, we recommend the following specific protections to our online retail clients:
DDoS prevention – Retail sites are a notorious target for hackers looking to flood a site and bring its performance to a halt. Though there is not a financial incentive for this type of attack, it remains common with a number of tools and techniques available to prevent this.
Social engineering – Your employees are susceptible to receiving malicious attachments loaded with POS focused macros via email. Believing these are from a trusted source, end users can easily be fooled into allowing them to execute. This can infect corporate networks and compromise POS terminals. Ensure your employees are well trained to spot phishing and spear phishing emails, do not divulge compromising corporate information on social media sites and do not open attachments from untrusted and validated sources. There are several commercially available tools that can filter potentially malicious content coming via email before an employee is exposed to it.
The nature of the e-commerce business makes it especially vulnerable to successful phishing or spear phishing campaigns – sales, fulfillment and contact centers are typically distributed which makes impersonating other employees, vendors or business partners easier to believe.
XSS (Cross Site Scripting) Attacks – When migrating to your retail e-commerce site, attackers can use cross scripting to fool an end user into accepting malicious code. The user’s browser does not know the script is not to be trusted and will execute and also be allowed to access cookies, session tokens and other sensitive data points retained by the browser. Correctly managing untrusted data in the context of HTML code must be handled very carefully to avoid this type of attack.
Mind your mobile apps – Applications are a great way to connect with your customers, providing them with convenience, frequent interactions with your brand and of course revenue opportunities for your company. However, if not designed and secured correctly they can open a host of issues damaging to your brand reputation. Ensure exported services are secured with strong permissions, SSL communications verify server certificates and valid hostname verifier and enact strong transfer layer protocol protection so calls back to the server are difficult to sniff or intercept
Consider a SIEM solution – becoming familiar with network patterns and anomalous user behavior to monitor what is ‘normal’ behavior is key to preventing attacks. Such tools should require minimal oversight and send minimal false positives.
To thine own self be true – According to Tripwire, while 90 percent of those asked said they could detect a critical data breach in less than a week and 75 percent said they could do it in just 48 hours, only 55 percent of IT pros at firms with more than $100 million in revenue said they checked security compliance “at least weekly.” It is critical to know the limitations of your own team with regards to monitoring your security posture. If your internal team is stretched too thin to monitor on a consistent basis, consider obtaining external expert resources.
For retailers there is a plethora of risks from transacting in credit card business. While new compliance regulations close up several loopholes, others continue to be exploited by the day. Armed with the right information and security know how, both brick and mortar and online retailers can stay one step ahead of POS malware from infecting their organizations.