What Is Point-Of-Sale (POS) Malware and How to Protect Yourself Against It
You have probably heard of the dark web. It's the rough end of the internet where criminals buy and sell anything from child abuse materials to guns and drugs. Truth be told, the activity does tend to be exaggerated, and some of the headlines you read in mass media can be a bit sensationalistic. Even so, there's no getting away from the fact that the dark web is full of criminals willing to spend some crypto coins on things that don't belong to them.
Stolen bank card details appear to be particularly popular with crooks which is hardly surprising given the fact that with that sort of data in hand, they can clone a credit or a debit card, and they can withdraw money from the closest ATM or indulge themselves in a spot of shopping. Thousands of card numbers, cardholder names, expiration dates, and CVVs are traded every day. But how do the criminals get their hands on all that information?
Every now and again, we'd see a phishing campaign that is able to fool some less experienced users into divulging the details themselves. Data breaches can also result in financial data exposure. Many of the cards that end up on the underground marketplaces, however, are compromised while the victims are using them – either at an ATM or at a Point-Of-Sale (POS) terminal.
Today, we're going to focus on POS terminals. We'll take a look at what you need to know about POS malware, how it has evolved, and what merchants and financial institutions do to prevent successful attacks.
Table of Contents
How does POS malware work?
A POS terminal is, for all intents and purposes, a regular computer with a bank card reader attached to it. Most of the POS terminals you encounter every day run on Windows and are connected to the internet. In the early days, the crooks would try to intercept the card details while they are being transmitted over the wire, but the introduction of end-to-end encryption put an abrupt end to that. Suddenly, cybercriminals had to find a new way to pilfer bank card information. Unfortunately, they did it quite quickly.
Processing a payment involves reading your card's details through the card reader and using specialized software to ensure that the card is valid and the transaction is authorized. If everything is alright, the merchant gets the money from your bank, and you get a statement which tells you how much you've spent. There are minor differences between credit and debit cards, but in simple terms, this is what happens when you're buying things through a POS terminal.
A lot of sensitive data is involved, and there are compliance rules in place that dictate how it should be handled. The POS terminal takes the card's number, the cardholder's name, and the expiration date from the magnetic strip on the back of your card. The rules say that these details must be stored and transmitted in an encrypted state, but in order to complete the authorization process, the POS terminal must decrypt them for a very short period of time while they are in its RAM. This is when POS malware strikes.
It scrapes the plaintext card details from the POS device's Random-Access Memory and sends them to the crooks. That's why, malicious programs of this sort are known as RAM scrapers.
The advantages of POS malware over ATM skimmers
From a cybercriminal's perspective, a POS malware attack has a number of advantages over putting a skimmer on an ATM. The first one is obvious – installing a skimming device on a teller machine requires physical access, which, considering the heavy video surveillance usually found around ATMs, is not what the crooks want. What's more, even the more modern skimmers can't send data remotely which means that after they rig the ATM, the criminals must return in order to retrieve the skimmed card details.
By contrast, compromising a POS terminal and installing malware on it might not be as hard as you think. As we mentioned already, in essence, we're talking about a Windows computer that is connected to the internet. This sort of setup, many people can testify, is not ideal from a security standpoint.
Often, employees use POS systems to do things like checking emails and browsing the internet when they're not processing payments which automatically opens the door for phishing and drive-by download attacks. Even if that's not the case, the local network the POS devices sit on might not be especially secure.
Far too many POS terminals run old versions of Windows and come with a wide variety of security vulnerabilities that hackers can exploit. Poor network configurations and default passwords are not uncommon, either, and of course, there's always the threat of a malicious insider.
POS malware: Evolution and protection
Regulators and financial institutions have been trying to mitigate the risks of POS malware, but sadly, their efforts haven't been especially fruitful. Forcing all the communication through an encrypted channel clearly didn't solve the problem completely, and neither did, by the looks of things, the push to migrate to chip-and-PIN cards. The security of bank cards that rely on a magnetic strip alone has been questionable at best for a while now, and POS malware has been taking advantage of the shortcomings of this particular type of data storage.
The newer chip-and-PIN cards were thought to be immune to POS malware, but attacks discovered last year suggest that this is no longer the case. Fortunately, as of the time of writing, there are no recorded POS malware attacks that have compromised contactless cards, though this type of technology does come with its own set of security challenges.
Sadly, you, as a person that uses a bank card, can do little to protect yourself. There are no obvious indicators to tell you that a POS terminal is infected with malware. The security of the POS system is the merchant's responsibility, and unfortunately, the recently discovered malware attack that affected more than 100 restaurants and compromised in excess of 2 million cards shows that not everyone is doing a very good job.
Banks in most countries will reimburse fraudulent transactions, but in reality, proving that you didn't authorize a particular payment can be a hassle. Keeping a close eye on your bank statement and informing your bank whenever you see something suspicious is the best way to ensure that if your card details do fall into the wrong hands, you will find a relatively quick way out of the mess.
