December 23, 2024

US-CERT Warns Businesses About POS Attacks

Posted on January 9, 2014 by in Security

If nothing else, the breach at Target brought this point home – point-of-sale [POS] systems are firmly on the radar of attackers.

So much so that US-CERT just recently warned retailers to do a better job of protecting their systems.

“In some circumstances, criminals attach a physical device to the POS system to collect card data, which is referred to as skimming,” the organization noted. “In other cases, cyber criminals deliver malware which acquires card data as it passes through a POS system, eventually exfiltrating the desired data back to the criminal. Once the cybercriminal receives the data, it is often trafficked to other suspects who use the data to create fraudulent credit and debit cards.”

POS Malware

“As POS systems are connected to computers or devices, they are also often enabled to access the internet and email services,” the advisory continued. “Therefore malicious links or attachments in emails as well as malicious websites can be accessed and malware may subsequently be downloaded by an end user of a POS system. The return on investment is much higher for a criminal to infect one POS system that will yield card data from multiple consumers.”

In the case of Target, malware was discovered on the company’s POS systems Dec. 15. At that point, Target disabled the malicious code and began the process of notifying card processors and payment card networks. As many as 40 million debit and credit card accounts may have been impacted. But that was just the most recent example of an attack. For example, in 2012, hackers hit the point-of-sale systems at Barnes & Noble and compromised credit card readers at 63 stores.

“In use, POS systems should be isolated from other networks to restrict access to payment data flows, but often are connected to many systems,” said Mark Bower of Voltage Security.

These systems are in constant use around heavy shopping periods like Black Friday, when they are often less frequently patched and updated, he added. To take the profit out of the attacks, savvy retailers are utilizing point-to-point encryption to protect data before it even gets to the POS system, he said.

“If the POS is breached, the data will be useless to the attacker,” he said. “Tokenization can eliminate live data from post authorization retail processes like warranty and returns yet enabling the retail business to still operate as before – even at Black Friday scale. No live data means no gold to steal. Attackers don’t like stealing straw.”

Organization need to take stock of what devices they have running and what gaps they need to close, said Chris Strand, compliance consultant at Bit9.

“Taking a better approach to automating the vulnerability analysis to get better visibility of the threat landscape and find a solution that allows organizations to see where high priority and critical areas are on those systems,” Strand said.  

US-CERT also recommends organizations restrict POS access to the Internet, disable remote access and update POS software applications.

Then there is the prospect of more secure EMV cards, which security experts say may have made the attack on Target a non-starter for those behind it.

“EMV is a big part of the answer and would likely have prevented the Target breach,” noted Chester Wisniewski, senior security advisor at Sophos. “Merchants have been resistant as it requires newer payment terminals, but Target is one of the few who were already EMV-ready. It is currently scheduled to roll out (for most transactions) in the US in the autumn of 2015. It took us about 18 months to fully embrace it here in Canada; let’s hope the US can one-up us.” 

Related ReadingPCI DSS 3.0 – The Impact on Your Security Operations

Brian Prince is a Contributing Writer for SecurityWeek.

Previous Columns by Brian Prince:


SecurityWeek RSS Feed

EU Bank Watchdog Warns Over Bitcoin

Posted on December 15, 2013 by in Security

LONDON – The European Union’s banking watchdog on Friday issued a warning over virtual currency trading amid huge swings in the value of Bitcoin, a lack of regulation and money laundering risks.

“The European Banking Authority (EBA) is issuing this warning to highlight the possible risks you may face when buying, holding or trading virtual currencies such as Bitcoin,” a statement said.

The EBA added: “We recommend that, if you buy virtual currencies, you should be fully aware and understand their specific characteristics.

Bitcoin has become a global phenomenon, with the price rising so much that a Norwegian man was able to buy an apartment with some of the 5,000 Bitcoins he bought for just $ 24 in 2009.

The explosive growth has raised alarm bells, with analysts warning of a potential crash due to a lack of fundamental underpinning.

The EBA urged users to “exercise the same caution with your digital wallet as you would do with your conventional wallet or purse.”

RelatedEuropean Bitcoin Payment Processor Hacked, $ 1M Stolen

The watchdog said people should not keep large amounts of money in their digital wallet for an extended period.

The warning comes as Chinese speculators have seen Bitcoin values plunge, soar and plunge again within days.

China is the world’s biggest market for trading Bitcoins, but around $ 5.0 billion was wiped off the value of the currency’s global stock within an hour of an announcement from Beijing’s central bank in early December, banning financial institutions from dealing in it.

Bitcoin was invented in the wake of the global financial crisis by a computer scientist using the pseudonym Satoshi Nakamoto.

It is based on cryptography and only 21 million units can ever be created, which can be stored either virtually or on a user’s hard drive.

It offers a largely anonymous payment system with no centralized structure and transactions are publicly logged in what is known as the “block chain”.

Related Reading: European Bitcoin Payment Processor Hacked, $ 1M Stolen

Related Reading: Australian Claims Huge Bitcoin Robbery

© AFP 2013


SecurityWeek RSS Feed