Credit: Thinkstock via CSO Online
A wide range of choices for consumers is one of the things that make the American economy vibrant.
Unfortunately, a wide range of choices also exists in the world of cybercrime, where developers of malware focused on point-of-sale (POS) systems have created dozens of ways to steal payment card information from those same consumers.
Thanks to the catastrophic breach of retailer Target at this time last year, it is now widely known that the current -- although now outgoing -- payment card system is easily exploitable.
For a millisecond or so after a card with a magnetic stripe is swiped at a POS terminal, the information is unencrypted. In that millisecond, POS malware is able to copy it, and the criminals then collect it.
The U.S. is moving to payment systems with better security. By October 2015, the 1960s-vintage "swipe-and-signature" card system is expected to be mostly replaced either by a smart-card system called EMV or Chip-and-PIN, or to an even newer system using so-called near-field-communication (NFC) technology favored by tech giants like Apple and Google.
But that still leaves plenty of time, including the current holiday season (when POS terminals get their biggest workout of the year), for thieves to raid retailers and other credit card processors.
The problem for the defenders of credit card systems is not just the variety of POS malware families, but that they can evolve so quickly. Kevin McAleavey, a malware expert and cofounder of the KNOS Project, said most security technology still depends in large measure on identifying "signatures" of malicious software.
But antivirus software's recognition of new signatures generally, "trails by hours, days and even longer each new variant of malware," he said.
"This is one of the major reasons why a command and control network is part of commercial malware. It gives the controllers the ability to update and replace their malware as soon as it is detected by antivirus software, with improved, and once again undetectable, replacements," he said.
McAleavey said "intrusion detection" systems provide some added benefit, but they also depend on matching the signatures of known malware at the perimeter of an organization's network.
"Given that POS malware in particular is a well-funded criminal enterprise, the bad guys have the ability to keep ahead of those detection signatures as well," he said.
Even though today's obsolete payment card system is still in place, experts say there are steps that organizations and individuals can take to make themselves a more difficult target.
Karl Sigler, threat intelligence manager at Trustwave, noted that, "in many of the POS malware attacks this past year, the criminals got in due to weak security practices by third-party providers."
Sign up for Computerworld eNewsletters.