Point of sale attacks are a ‘point of no return’

Register now

An onslaught of cyberattacks are targeting point-of-sale (POS) systems from restaurants and retailers so cybercriminals can easily steal credit card information to illegally buy goods and services online. It is one of the largest piggy banks that cybercriminals take full advantage of.

The latest example was Cheddar’s Scratch Kitchen in which the credit card information of 500,000 customers was stolen due to old legacy POS systems. Cheddar’s isn’t alone in their misery: companies like Applebee’s, Chili’s, Subway, Zippy’s and more have all incurred POS breaches and more are probably on their way.

Security researchers from Booz Allen Hamilton have just discovered a new point-of-sale malware. The new malware seems to be in pre-production and is a RAM scraper to collect credit card numbers. The numbers are put in a DAT file and stored, but RtPOS, how it’s commonly known, only saves the data locally and has no native exfiltration capability. Researchers are speculating that it is more stealth for cyber criminals to load this scraper undetected and leave it there to gather credit card data for a length of time and then go in and retrieve the file.
This new malware is just one of the many that cybercriminals can choose from to penetrate point-of-sale (POS) systems and collect credit card or other data. Also, the cybercrime arsenal of POS malware includes PoSeidon, ALINA, vSkimmer, Dexter, and FYSNA all designed for one thing: gather credit card information and send it back to the hacker. There is no end to the creativity of cybercriminals who also hide UDPoS malware inside DNS requests to steal credit card data.

This high degree of sophisticated attacks and how creatively cybercriminals use the stolen data are not just a problem for restaurants, retailers and their customers, but also for payment card providers and any other organization with online payment capabilities. Once personal and financial information is accessible to criminals, it feeds the pipeline of future cybercrime for years to come.

To avoid getting hit by any creative form of malware, it is essential for customer-facing companies to continuously monitor POS devices and update security patches regularly. An additional approach involves devaluing payment or personal information after a breach. Restaurants, retailers, and other companies offering services in the card-not-present (CNP) channel need to identify customers by means other than potentially stolen data.

Analyzing the user’s online behavior through hundreds of inherent identifiers that hackers can't imitate or steal is one way to make the stolen data valueless. By implementing verification technologies such as passive biometrics and behavior analytics, companies can authenticate customers beyond their credit card number or credentials, identifying them by their online behavior instead.

This increased authentication as part of a layered security framework allows fraudulent transactions to be blocked even if the right passwords, credit card numbers, or security answers are used. This also allows companies to correctly identify key customers to offer rewards, bonuses and more.

For reprint and licensing requests for this article, click here.
Data breaches Point-of-sale Retailers ISO and agent