The evolution of attacks against PoS devices

  • Point-of Sale (POS) cybercrime is highly sophisticated, with cyber attackers continuing to target the retail industry aggressively to obtain credit and debit card account data. The ubiquity and widespread deployment of these POS systems is what makes them highly attractive targets for cyber thieves, with attackers using a variety of methods to acquire the data they’re after.


    This could be something as simple as ‘skimming’ individual cards or deploying larger-scale, more sophisticated attacks such as the one which hit Avanti Markets. The self-service food kiosk vendor was hit by malware which was designed to access and steal personal, credit card and biometric information. This in itself is worrying – you can get a new credit card, but not a new fingerprint.


    This stolen data is being collected at an immense rate by fraudulent transactions worldwide, particularly in the US where full chip and PIN authentication is not in use. However, even as the industry moves closer to implementing chip and PIN, and even though we will see more stringent requirements as part of the Payment Card Industry Data Security Standard (PCI DSS), we can still expect fraudulent card-not-present transactions to increase.


    The evolution of POS attacks

    Credit and debit card data theft is one of the earliest forms of cybercrime, dating back to the early noughties. Early attacks were rudimentary, relying on basic retail infrastructure vulnerabilities. Since then, attacks have accelerated rapidly, using increasingly sophisticated methods and technologies. Fast-forward to 2013/2014, and compromised retail credit-card account data reached unprecedented levels with 100 million cards affected in the US alone.


    The development of new POS-specific malware escalated in 2015 and 2016, during which new tools appeared, such as the Dexter POS – a piece of malware designed to infect systems running Windows – among others. The widespread availability of these tools increases the attackers’ ability to penetrate retailer networks and harvest their credit card data so they can then sell or use these cards, both online and in stores, to obtain cash and merchandise. Credit card information and configurable POS-malware toolkits are available for sale on the Dark Web on a daily basis, with certain brands and types of cards more valuable than others.


    Protecting the POS

    Attackers have a variety of techniques to help them establish footholds within networks. Some of these attacks may be blocked by perimeter and endpoint defences, but not all. It takes just one successful penetration to be compromised - recent events such as the Target and Home Depot hacks demonstrate the far-reaching impact of a successful attack on retail and POS networks. Today’s sophisticated cyber attackers can easily access and breach corporate networks, following up with reconnaissance on intellectual property.


    This is where the need for early detection comes in. More often than not, these attacks are only detected once it is too late and the damage is done. This means we need to find faster, smarter approaches to stay ahead of the attackers. As many of those systems are mission critical, controls must be unintrusive.


    This is where techniques such as deception come in. For example, deception is an age-old tactic used by cyber criminals to out-manoeuvre their targets, constantly using new techniques to hide their identity, remain undetected or conceal their activities on the network. This means that traditional defence methods are no longer enough, and organisations need to rethink their security strategies. As deception can be used in attacks, why can’t the same tactics be applied to cyber security?


    Advanced deception technology is the cyber equivalent of a trail leading intruders down a false path, enabling organisations to detect the early reconnaissance stage of an attack. It draws an attacker into an environment where resources that may appear to be attractive are not what they seem to be. By emulating a retail organisation’s assets – such as the POS systems and workstations – hackers can be lured into a trap where they cannot compromise the system; to a would-be attacker, these traps are indistinguishable from a genuine IT asset.


    The use of decoy systems to identify and halt attackers is an emerging security trend according to research from Gartner, with some retail companies already adopting this approach. Deception is a viable option for improving cyber security, giving the retail industry a new way of playing hackers at their own game.


    Ori Bach, Cyber Security Strategist, TrapX Security