Introducing point of sale malware

Point of sale (PoS) systems are the payment devices that you can find at almost any store. Depending on their level of sophistication, they allow you to swipe a credit card, insert a chip-based card or tap a card or mobile device in order to make a payment.

In order to verify a payment’s legitimacy, these devices need to be able to both read the payment information of the card and to connect to the corresponding financial institution via the internet.

Wherever you have internet-connected devices with access to valuable data (like payment card information), you probably have cybercriminals. Point of sale malware is designed to reside on a PoS terminal, steal the information of the payment cards used on that terminal and transmit that data to a cybercriminal via the internet.


How point of sale malware works

Like any other type of malware, a point of sale malware infection begins by gaining a foothold on the target device. This can be accomplished in a variety of different ways. Many PoS terminals are old systems, which can have known, unpatched vulnerabilities or be using default credentials. A failure to properly isolate PoS systems from partner networks or the organization’s own internal network can also give an attacker an entry point and access to the PoS systems.

Once installed and executing on the target devices, point of sale malware operates as a very simple RAM scanner. While payment card information is protected with end-to-end encryption while in transit, it is present unencrypted in RAM on the PoS terminal. Point of sale malware searches for data that matches the Track 1 or Track 2 formats that are used in the magnetic strips on payment cards. Any collected data is then exfiltrated to the cybercriminal via the internet.

One limitation of point of sale malware is that it only collects information that is useful for creating cloned cards for physical sales. The CVV2 code used for online purchases is not included on the magnetic strip. This limits the utility of the data stolen by the PoS malware and causes it to fetch a lower price on the black market.

The Target breach

Point of sale malware is a perennial problem since it targets devices that are often older and receive less security attention than “traditional” targets. As a result, many different retailers have been targeted and successfully exploited by point of sale malware. However, the most famous incident of a point of sale malware attack is probably the Target breach that began in November 2013.

The Target breach was relatively short, stretching from November 15th to December 15th of 2013. Between November 15th and 28th, the cybercriminals ran a field test of their malware, uploading it on a small number of Target cash registers. By the end of the month, most of Target’s machines were compromised, and the cybercriminals were able to steal the credit and debit card information of about 40 million Target customers.

The Target breach was enabled by a couple of different security mistakes made by Target. The first was a failure to secure their supply chain. Target had provided an HVAC vendor with access to their network, and this vendor was attacked and their credentials used to compromise Target’s PoS terminals.

The other failing was that Target did not isolate their payment network from the rest of their internal network. The HVAC vendor whose credentials were stolen had no need to access Target’s point of sale terminals, and, if these devices had been properly isolated on their own private network segment, then the Target breach would not have been possible (or at least not as widespread). 

Protecting against point of sale malware

Point of sale malware is often installed on a device due to poor security controls. For example, a device may be connected to a business network, include unpatched vulnerabilities or use credentials. Fixing these vulnerabilities is an important step in protecting against point of sale malware.

However, these are not the only ways to protect against this type of attack. Options include implementing process whitelisting, code signing, IP/domain whitelisting and the use of chip cards.

Process whitelisting

One approach that retailers can take to protect their machines from point of sale malware attacks is process whitelisting. Unlike many machines, PoS terminals have a very limited set of “normal” operations and of processes that legitimately have a reason to be running on the device. Implementing process whitelisting ensures that no unauthorized/malicious programs can be executing on the machine without detection.

Code signing

A similar approach to fighting point of sale malware is code signing. This approach is used to great effect in the macOS ecosystem, where only executables signed by an Apple-issued key are allowed to run on a non-jailbroken device. Point of sale terminals can implement code signing and only allow company-signed processes to run on the device.

IP/domain whitelisting

In order to do their jobs, point of sale terminals need to have the ability to send payment information over the Internet for verification. However, the set of domains and IP addresses that this information should be sent to is rather limited. By implementing IP/domain whitelisting at the network firewall, an organization can block malicious traffic attempting to install PoS malware on a device or exfiltrate stolen data from it.

Chip cards

The impetus for the transition from using magnetic strips on cards to chip and PIN is designed to improve the security of payment systems. The information contained on magnetic strips is unchanging, meaning that it can be stolen by PoS malware and reused for future thefts. A card with a chip sends a unique transaction every time, so attempts to steal and reuse card data can be detected and blocked.

 

Sources

  1. What is point-of-sale (POS) malware? How it works and how to protect your POS system, Digital Guardian
  2. PoS (point-of-sale) malware, Trend Micro
  3. Target Hackers Broke in Via HVAC Company, Krebs on Security