Credit Card Numbers – the Holiday Gift You Don’t Want to Give



Starting on Black Friday, the holiday shopping season is the biggest test of retailers’ security posture all year. Here are some of the threats retailers need to watch out for this season as well as tips for how to protect data in retail environments.

This holiday season, credit card security at the Point-of-Sale terminal is even more critical than usual. Not only is traffic volume much higher – putting more credit card numbers at risk – but two new malware attacks pose a serious threat to unprotected POS terminals.

In 2014, according to the 2015 Verizon Data Breach Investigation Report, 70% of attacks in the retail industry took place at the point of sale system. The report goes on to say, “The evolution of attacks against POS systems continued in 2014 with large organizations suffering breaches alongside the small retailers and restaurants that had been the cash cows for years.” Attacks on POS terminals are not new and they are widespread.

What makes these two new attacks a particularly serious threat is they both take sophisticated steps to obtain credit card data and then to hide themselves on the target POS system.

According to researchers at Trustwave, Cherry Picker has been infiltrating retail systems and stealing credit card information since 2011. However, it has recently added new tricks to its bag. In particular, the malware now has improved mechanisms for obtaining credit card data by memory scraping and grabbing the unencrypted credit card information that is stored temporarily in memory prior to being sent to the payment processor. Even more worrisome, a malware cleaner included with Cherry Picker removes evidence of the malware after the credit card information has been exfiltrated. If you don’t catch Cherry Picker in action, you probably don’t catch it at all. That makes Cherry Picker a thief in the night, since most attacks are detected well after they occur.

Proofpoint researchers recently identified the malware they named AbaddonPOS. It is delivered via a different piece of POS malware named Vawtrak, packing a 2-in-1 punch. Vawtrak has been seen in the wild since August 2013, with more mature versions detected since the original attacks. It looks for both credential and credit card information. Now it also downloads the AbaddonPOS malware, which also includes sophisticated mechanisms to evade detection. A risk here is that the security analysis team discovers Vawtrak, removes Vawtrak from the POS terminal, and then declares victory – while AbaddonPOS is still lurking in the background.

But, you say, merchants were required to make the switch to EMV cards (cards that employ an embedded chip combined with either a signature or PIN as opposed to the traditional magnetic strip) by October 1, 2015, and the credit card data for chip cards is encrypted. So doesn’t that address the problem? In short, no. These cards are more secure, but there are still known security issues with chip cards, which remain subject to abuse in "card-not-present" transactions as well as man-in-the-middle attacks. Improperly implemented EMV systems also pose risks to retailers, such as the rash of EMV "replay" attacks that came out of Brazil last fall.

Even with the increased security provided by the chip cards, retailers remain highly vulnerable in the short term, as EMV card technology is far from fully available. According to CreditCards.com, 60% of credit card holders had not received a credit or debit card with a chip. As American Banker points out, most big box stores will have readers for the new cards, most small merchants will not. Some payment processors have yet to implement systems that can accept the chip card information.

So what can the merchant do to protect credit card information? Here are a few steps:

  1. Regularly update your POS software: Vendors regularly update their software to harden it against malware attacks. These updates do no good unless they are installed on your POS systems.
  2. Remove all unnecessary users from the system: the more employees who have access to the system, the more likely it is that one of them will inadvertently introduce malware. If employees can’t access the system, they can’t infect it. Practice the principle of least privilege to limit your attack surface by restricting users’ access on an as-needed basis. Where legitimate access is required, bolster security with access controls such as two factor authentication.
  3. Train and drill your employees: the human element is often the weak link in any security program. Those employees whose job requires them to have access to the POS system need to be trained in proper security procedures – and then updated on a regular basis to remind them of the importance of using these security precautions.
  4. Install software to detect and prevent data loss: there is no one single technology that is capable of detecting and preventing 100% of attacks. However, there are solutions on the market that can further harden retail IT environments against compromise. Consider implementing the following solutions alongside EMV as part of a defense in depth strategy:
    • Application whitelisting is a lightweight approach that offers big payback. Whitelisting software will only allow executables and applications that you explicitly specify to run on the POS system. If the malware can’t run, it can’t do any damage.
    • Data monitoring solutions will provide retail security teams with real-time visibility into data access and usage throughout the IT environment. This activity should be monitored for anomalous behavior such as unauthorized access or data exfiltration. Data loss prevention solutions provide robust monitoring capabilities combined with controls to mitigate risky activity.
    • Endpoint protection solutions such as anti-virus/anti-malware are a good first line of defense against known malware attacks and assist in detecting and removing infections from systems. The PCI Data Security Standard requires implementation of this technology.
    • Vulnerability scanners identify exploitable weaknesses in networks, applications, and devices. This information will help security teams stay one step ahead of attackers and drives strong vulnerability management practices.

EMV provides a promising future for retail security, but this technology alone is not enough to protect retailers. Implementing these measures in addition to EMV will go a long way in securing your retail systems and the data they process. While the holiday shopping season offers ample opportunities for attackers, there are also innumerable potential targets for attack. Chances are, if your company has the right security protocols and solutions in place, cyber criminals will pass you by in search of easier targets – and that peace of mind may be the best gift you receive all year.

Harriet Cohen
Related Articles
Recent Breaches, Alerts Call for Improved Defense Against POS Malware

Cyber attacks relying on POS malware have made a major resurgence – read on to learn about some new developments and incidents involving POS malware as well as tips for protecting POS systems against data breaches.

Paid in Full: Why the MICROS Data Breach Could be More than Meets the Eye

Data breaches come in all shapes and sizes. Some, like the attacks on Target and Home Depot, are big, public, and expensive. Others can be small and quiet, but no less expensive in the long run.

What is POS Security? Protecting Data in POS Environments

Learn how to secure POS systems against compromises and data theft in Data Protection 101, our series on the fundamentals of information security.

Harriet Cohen

Harriet Cohen is a senior product manager at Digital Guardian where she works in the Office of the CTO to turn innovative ideas for enhanced threat protection into product reality. Harriet has over ten years of experience in the security arena, encompassing both data protection and identity and access management.

Please post your comments here