In the past, hackers have most often gone after specific merchants when seeking cardholder information. Recent attacks on point-of-sale (POS) vendors, however, may signal a drastic shift in how these cybercriminals operate, and certainly signal a need for application security for mobile payments.
More than ten POS vendors, including MICROS, have been compromised within the last few weeks. Some of these attacks may be linked to two specific forms of malware: Carbanak and MalumPOS. However, no definitive link between the hackers behind these programs and the recent attacks is certain.
The damage that these attacks can cause are best exemplified with the story of the HEI Hotels & Resorts company. It recently reported a POS-related breach of security at 20 of the properties it manages (which includes major hotel chains such as Marriott and Sheraton). Card numbers, cardholder names, expiration dates, and verification codes used between March 2015 and June 2016 may all have been exposed.
As these breaches indicate, past cyberattacks have mostly been directed at merchants. Mobile devices, however, are now advanced to the point where using your device at the POS is more frequent. Mobile payments are just another way that hackers are seeking to gain control of sensitive data. Hackers are not simply changing to new specific targets; they’re targeting multiple points of vulnerability at once – including mobile payments. It is not enough to focus on protecting merchants—security must now be applied to the entire infrastructure supporting merchants, POS systems and mobile devices.
Near Field Communication (NFC) technology has been gaining traction with many device manufacturers as they introduce their own payment solutions. However, NFC-based applications use a secure element (SE) on the mobile device to store credentials whereas Host Card Emulation (HCE) is an easy-to-deploy alternative that does not require a physical secure element on mobile devices and enables NFC devices to perform the same transactions but instead storing credentials somewhere other than the SE – such as in the cloud. With all the benefits that HCE provides, there are associated security risks such as identity theft, fraud and privacy. If these risks aren’t addressed, cybercriminals can reverse engineer sensitive code that transmits or processes encryption keys within the mobile device.
Merchants need to take security for HCE to the next level by providing application hardening to protect apps and devices with: Integrity protection, code (application) obfuscation, white-box cryptography, jailbreak detection, and anti-debug protection.
In addition, white-box cryptography solutions secure data within mobile applications and ensure the keys are always encrypted. This protects static keys, dynamic keys and sensitive user data. In addition to securing mobile payments, it’s always good to brush up on protecting other parts of the overall POS infrastructure. Here are some basic tips this can be done: Use secure passwords. This is a critical part of securing information that has become so commonplace that it’s often forgotten. However, using truly secure passwords can go a long way toward ensuring data safety. Merchants also must be aware that the default password on their POS system may be available online; hence, they should change it to a unique login immediately.
Keep POS software up-to-date. POS software is updated to plug security holes, increase security and more. Not keeping the system current with the latest updates makes it far more vulnerable. Put a firewall in place. Firewalls can prevent outside attackers from being able to access POS systems. They can prevent worms, viruses and other forms of malware from gaining access. Run antivirus software regularly. If a malware program does somehow manage to get onto the computer system, running frequent antivirus scans can catch it quickly enough to prevent it from doing any damage.
Restrict POS access. Merchants should only allow trusted users access to system terminals or computers. Computers on the POS system should also only be used for POS-related tasks. Do not allow remote access. Allowing an employee to work remotely may seem like a tempting idea, but permitting remote access to anyone makes a computer system much more vulnerable.
The shifting of cyberattacks from merchants to POS vendors and the infrastructure supporting them is exposing vulnerabilities in those systems, including mobile payment applications. However, companies are quickly learning ways to prevent these and other recent attacks from happening again.
Thorsten Held is a co-founder of whiteCryption and its managing director.