When you think of retail breaches, what comes to mind? Target, probably, since that seems to be the mother of all high-profile breaches. However, it may be in the not-too-distant future when the Target breach is just a blip on the landscape. Retail has a serious security problem with point-of-sale (POS) malware.
A new study from Dell found that attacks against retailers surged in 2014 because, as Payment Week explained, there are “new tactics that fraudsters are deploying, which include encryption to mask malware from network firewalls and memory scraping.”
Part of the problem, according to John Gordineer, director of product marketing for Dell Security, is the lack of security maintenance on POS systems. Upgrades and patches aren’t being applied, so the software and operating systems are vulnerable.
That’s not the only problem, of course. Malware specifically designed to infect POS operations is on the rise, too. Brian Krebs reported on a new strain of POS malware called PoSeidon, which has been hitting smaller businesses including restaurants and bars. This shift away from the large retail markets, Krebs said, is creating a nightmare scenario for the financial industry because it is more difficult to determine where the credit card fraud is being generated.
Also, this week, Trustwave reported on another new POS malware, this one dubbed Punkey, which has its roots in the NewPOSthings family of malware. According to an email I received announcing Punkey, it was discovered during a criminal investigation conducted by the Secret Service. The email stated:
[The malware] hides inside the explorer process that exists on every Windows operation system. Once running, it scans other processes for card holder data and sends each card to a server. It periodically checks in with the server to see if there are any updates (such as new programs to run or if an update to the malware is needed). The Punkey malware also performs keylogging, which captures 200 keystrokes at a time and sends it back to the server. This allows the attacker to capture usernames and passwords and other important information. All of these functions run continuously and will start up again if the computer is rebooted.
Malware and lack of patching aren’t the only security problems facing retailers and POS systems. As a CIO article pointed out, employees are lacking in any type of security training and this contributes to greater opportunities for a breach to occur.
Meeting PCI compliance regulations isn’t enough to stop the security threats on POS systems, Gordineer told Payment Week:
New platforms and channels do not replace the old ones – they add to them, and the old security best practices do not go away. As a result, there are important, key security best practices to consider. Think about how to truly protect your data from attackers, not just how to meet compliance regulations.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba.