One of the most renowned cyber attacks to occur in recent years was the Target data breach in 2013. The incident resulted in the theft of approximately 40 million credit cards, and Target has faced several lawsuits as a result, the most recent of which entailed a $39.4 million settlement with banks, according to Reuters.
In many ways, the attack on Target was unprecedented; it was the largest point-of-sale related breach in history. That said, the likelihood of an equally large or even larger POS breach is only increasing, creating the need for new methods to secure customer payment information.
POS malware on the rise
Memory-scraping malware is haunting the cyber crime landscape for retailers and consumers alike. According to The Register, several new strains of POS malware have recently been discovered. Cherry Picker and AbaddonPOS malware, which primarily plague Windows operating systems, are both very difficult to detect. These strains are smooth criminals and can disappear from the system without hardly leaving a trace once they've done the dirty work for hackers.
Memory-scraping malware – such as that which affected Target – primarily attacks retailers and restaurants, but it can also affect hotels and any other industry that uses POS systems. It essentially sits in the system and waits until payment data is processed, at which point it is decrypted and therefore vulnerable. There are a variety of ways malware can get into a POS device and most tactics leverage a PC or other device bridged to the POS system. For this reason, retailers must go above and beyond in their efforts to secure the POS endpoint and any links in the network to the system. More importantly, they must have a method to prevent the pilfering of payment information in the event that malware manages to sneak through the cracks.
How EMV technology works
As of October, merchants will be held accountable for theft of payment data, rather than card issuers – that is, assuming card issuers embed their cards with EMV chips and the merchant does not have, or is not using, EMV payment processing technology. Therefore, it is extremely important for merchants to begin making the shift to EMV payment processing technology.
EMV, which stands for Europay, Mastercard, Visa, is more secure than traditional magnetic stripes, which store unchanging data. Because this data is static, it can be used if stolen, hence credit card fraud. The microchips embedded in EMV cards also store data, but it also uses a unique code for each transaction. This means that even if the POS is infected, any stolen data is basically useless to a cyber criminal. Any individual who had been the victim of credit card fraud, either through Target, an online retailer or through another source is encouraged to contact their bank or credit card issuer as soon as possible to learn more about EMV technology.
The efficacy of EMV is pending
In theory, EMV technology is extremely secure compared to traditional magnetic stripes. But for now, EMV is valued more for its potential than for its proven ability to work. This is mainly because so few merchants are using it. A mere third of all retailers have implemented EMV-capable payment processing units, according to a recent CIO article.
Those who already have chip technology in their cards may notice that the magnetic stripe is still present on the back of the card, and that they still find themselves swiping more often than not. An EMV-enabled card reader entails the insertion of a payment card into a small slot, so that the unit can read the chip, which would create a transaction code for one-time use rather than transfer unprotected payment data through the POS. Thus, anyone who continues to use the magnetic stripe on an EMV credit card is at risk of fraud. Likewise, any merchant that is not supplying EMV technology for customers to use assumes liability should fraud occur.
Worse yet, Trend Micro notes that chip technology is not ironclad against the threat of memory-scraping malware. This is especially true for cases in which the EMV technology is not properly implemented. According to PCWorld, specialists have said that the same data that can be obtained from a magnetic stripe can also be lifted from a card with EMV technology as a result of improper implementation. Experts also suggest that some banks are in fact implementing these chips improperly.
Another issue facing the deployment of EMV technology is the fact that hackers are extraordinarily adaptable and are consistently finding new ways to breach seemingly impenetrable defenses. Even once the EMV rollout is fully under way, there will be vulnerabilities to the POS, by vice of user error, or by virtue of hacker adroitness. Cyber security and adequate threat protection should therefore be front of mind for any company that processes payment information.
Trend Micro's Endpoint Application Control helps retailers defend against POS malware and other threats to payment data.