During the past six months, malware targeting point-of-sale (POS) systems has been a major trend, in which malware families are being sold, shared, exchanged, tweaked and improved. Small businesses are especially under-protected, and will only get worse until owners can fight back by implementing better payment processing systems.
How Point-of-Sale Malware works
Small businesses in the food and drink sectors are not typically known for handling large bank accounts or valuable industrial secrets. Therefore, these businesses are targeted most frequently by malware. The main objective is to pick up small batches of card numbers from these types of operations where the least attention is paid to high security practices.
These are the opposite of the high-profile attacks which frequently appear on news headlines. Big-name brands are rarely involved, and no huge sums of money are being stolen from any single victim. Instead, large numbers of smaller targets are being taken for small amounts of cash.
These malware families are being diligently worked on to improve and expand their functionality, and as most seem to be available for sale to anyone willing to buy them online, their implementation grows more diverse by the day.
The malware is used as a standalone data filtering technique in more focused attacks, or rolled into more general-purpose crime kits, which can probe for any likely point-of-sale data just as they would for anything else of potential value.
This implies some degree of organization and pooling of ideas and resources. All of this effort is aimed purely at harvesting card information, and converting that information into cash.
Which Payment Systems are affected?
These problems don’t only affect operations in the US, where the EMV system hasn’t yet been implemented nation-wide on point-of-sale systems. There have been reports of data breaches all over the world, but they do share one common trait— they all impact locations where the EMV system is not yet widely used. Outside of the US, this is mainly international hotels where large numbers of foreign guests are processed. In the US, it’s just about anywhere.
The malware seems to be almost exclusively physical breaches of security, where PIN-reading machines have been doctored, or replaced with Trojan lookalikes.
That kind of attack is difficult to combat— you can be as careful as you like with anti-virus updates, software patches and firewalls, but your business is still open to be attacked.
How to stop Point-of-Sale Attacks
EMV at least provides some protection against the indiscriminate data-harvesting conducted by malware programs. Once it is properly and universally adopted, these scammers will find it more difficult to extract credit card data.
In the meantime, there are some things business owners can do to protect themselves, starting with the basics of ensuring all software running on their point-of-sale systems are kept up-to-date with the latest patches. They should also ensure that any services allowing remote access have secure passwords – many of these attacks have simply used default passwords in common tools to penetrate networks.