• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Industry News   »   ​Defending against new POS malware with EMV technology

​Defending against new POS malware with EMV technology

  • Posted on:December 8, 2015
  • Posted in:Industry News
  • Posted by:
    Noah Gamer
0
Protecting the POS with EMV-capable card readers is a priority for retailers.

One of the most renowned cyber attacks to occur in recent years was the Target data breach in 2013. The incident resulted in the theft of approximately 40 million credit cards, and Target has faced several lawsuits as a result, the most recent of which entailed a $39.4 million settlement with banks, according to Reuters. 

In many ways, the attack on Target was unprecedented; it was the largest point-of-sale related breach in history. That said, the likelihood of an equally large or even larger POS breach is only increasing, creating the need for new methods to secure customer payment information.   

POS malware on the rise

Memory-scraping malware is haunting the cyber crime landscape for retailers and consumers alike. According to The Register, several new strains of POS malware have recently been discovered. Cherry Picker and AbaddonPOS malware, which primarily plague Windows operating systems, are both very difficult to detect. These strains are smooth criminals and can disappear from the system without hardly leaving a trace once they've done the dirty work for hackers. 

Memory-scraping malware – such as that which affected Target – primarily attacks retailers and restaurants, but it can also affect hotels and any other industry that uses POS systems. It essentially sits in the system and waits until payment data is processed, at which point it is decrypted and therefore vulnerable. There are a variety of ways malware can get into a POS device and most tactics leverage a PC or other device bridged to the POS system. For this reason, retailers must go above and beyond in their efforts to secure the POS endpoint and any links in the network to the system. More importantly, they must have a method to prevent the pilfering of payment information in the event that malware manages to sneak through the cracks.

How EMV technology works 

As of October, merchants will be held accountable for theft of payment data, rather than card issuers – that is, assuming card issuers embed their cards with EMV chips and the merchant does not have, or is not using, EMV payment processing technology. Therefore, it is extremely important for merchants to begin making the shift to EMV payment processing technology. 

EMV, which stands for Europay, Mastercard, Visa, is more secure than traditional magnetic stripes, which store unchanging data. Because this data is static, it can be used if stolen, hence credit card fraud. The microchips embedded in EMV cards also store data, but it also uses a unique code for each transaction. This means that even if the POS is infected, any stolen data is basically useless to a cyber criminal. Any individual who had been the victim of credit card fraud, either through Target, an online retailer or through another source is encouraged to contact their bank or credit card issuer as soon as possible to learn more about EMV technology. 

The efficacy of EMV is pending

In theory, EMV technology is extremely secure compared to traditional magnetic stripes. But for now, EMV is valued more for its potential than for its proven ability to work. This is mainly because so few merchants are using it. A mere third of all retailers have implemented EMV-capable payment processing units, according to a recent CIO article.

Those who already have chip technology in their cards may notice that the magnetic stripe is still present on the back of the card, and that they still find themselves swiping more often than not. An EMV-enabled card reader entails the insertion of a payment card into a small slot, so that the unit can read the chip, which would create a transaction code for one-time use rather than transfer unprotected payment data through the POS. Thus, anyone who continues to use the magnetic stripe on an EMV credit card is at risk of fraud. Likewise, any merchant that is not supplying EMV technology for customers to use assumes liability should fraud occur. 

Worse yet, Trend Micro notes that chip technology is not ironclad against the threat of memory-scraping malware. This is especially true for cases in which the EMV technology is not properly implemented. According to PCWorld, specialists have said that the same data that can be obtained from a magnetic stripe can also be lifted from a card with EMV technology as a result of improper implementation. Experts also suggest that some banks are in fact implementing these chips improperly. 

Another issue facing the deployment of EMV technology is the fact that hackers are extraordinarily adaptable and are consistently finding new ways to breach seemingly impenetrable defenses. Even once the EMV rollout is fully under way, there will be vulnerabilities to the POS, by vice of user error, or by virtue of hacker adroitness. Cyber security and adequate threat protection should therefore be front of mind for any company that processes payment information. 

Trend Micro's Endpoint Application Control helps retailers defend against POS malware and other threats to payment data.

Related posts:

  1. October 1, 2015: Happy EMV Day! What it means for you
  2. Target breach shows need to create more secure payment systems.
  3. PoS malware continues to evolve and threatens many industries
  4. As PCI 3.1 deadline is pushed back, online merchants face big risks

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Cloud-based Email Threats Capitalized on Chaos of COVID-19
  • Detected Cyber Threats Rose 20% to Exceed 62.6 Billion in 2020
  • Trend Micro Recognized on CRN Security 100 List
  • Trend Micro Reports Solid Results for Q4 and Fiscal Year 2020
  • Connected Cars Technology Vulnerable to Cyber Attacks
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.