Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Top malware families turn point-of-sale into point-of-theft

Taylor Armerding | Dec. 18, 2014
For retailers, and shoppers, the most wonderful time of the year is also the most dangerous.

That, as is widely know, is how the Target breach occurred. And third-party security is expected to improve, since the latest Payment Card Industry Data Security Standard -- PCI- DSS 3.0 -- includes more stringent requirements for third-party providers starting Jan. 1.

"However, businesses should do more," Sigler said. "Their contracts with third-party providers should include clauses regarding data protection. They should also have their own layered security strategy in place so even if a criminal compromises a third-party provider's password, he can still be stopped from gaining access to the business's entire infrastructure."

Other recommendations for organizations include:

  • "Allow only whitelisted applications on POS devices," said Timo Hirvonen, senior researcher, Security Response, at F-Secure. "There should be a default-deny policy for all connections to and from the POS device."
  • "Isolate the environment of POS terminals from (direct Internet access through remote administration," said Pierluigi Paganini, founder of SecurityAffairs, noting that, "this attack vector became the key for successful intrusions and RAM scraping malware distribution.
  • McAleavey recommends joining with other organizations in, "indicators of compromise" sharing solutions, "as proposed by the OpenIOC Framework created by Mandiant" -- a security firm acquired a year ago by FireEye.
  • "Network and host-based monitoring for indicators of compromise, data exfiltration and malware communication plays a critical role," said Mario de Boer, research director, Security and Risk Management Strategies at Gartner for Technical Professionals.
  • Use a POS system is only for that purpose, not as a workspace computer. "Organizations should segment their critical data -- customers' payment card data -- from their non-critical data," Sigler said.
  • Organize cyber intelligence and threat monitoring frameworks across the enterprise. "Traditionally these infrastructures are franchised-based and decentralized," said Andrew Komarov, CEO of IntelCrawler. "That creates serious flaws in security."
  • Have skilled security staff in place. "Security technologies such as intrusion detection and prevention, network access control, anti-malware technologies and others, are only as good as the people who manage them," Sigler said.

Experts also caution that while the transfer of the PCI system to EMV or NFC will improve security significantly, it will not eliminate credit card fraud.

EMV, while it improves security at the POS terminal, it still leaves the user vulnerable for "card-not-present" transactions such as online purchases.

NFC holds the possibility of being even more secure. With ApplePay, the merchant never sees the credit card number, and the data is encrypted from the phone to the participating bank.

Still, as Paganini notes, "Any new technology has new risks. Security professionals have identified vulnerabilities and bugs in various versions of NFC technology, as well as ApplePay as a product."

According to McAleavey, the best thing individual consumers can do is to sign up for two-factor authentication. "It won't prevent their credit card numbers from getting lifted by malware," he said, "but with two-factor, where a secret code is transmitted to your phone or a special key fob to confirm the sale, that's a one-time use code. Once you've confirmed at the POS that it really is you, the approval goes through. If someone else tries to use the card, then they cannot provide the countersignature."


Previous Page  1  2 

Sign up for Computerworld eNewsletters.