POS Malware: A PCI Nightmare
After a data breach, it could take months or even years for a full investigation to verify what really happened after millions of customer records have been stolen, and in worst cases, sold online.
In the meantime, identifying ways in which an attacker could gain access to networks and point of sale (POS) systems can help us determine how to protect them.
Read on for a deep dive into variants of POS malware, ways they can infect systems, the type of data they steal, and how two-factor authentication could effectively thwart attackers from stealing retail company customer data.
Retail Breaches: Infected POS Systems
Target’s security breach, occurring during the prime holiday shopping season, grew from 40 to 70 million total breached records after further investigation. While the investigation is still ongoing, CNBC reports that malware was found on its POS registers, according to Target’s CEO.
Darkreading.com reports that after breaching the POS systems, they were able to access a database of even more records. According to unnamed sources and a recent KrebsonSecurity.com report, POS malware was uploaded after compromising a company web server. Attackers then set up a control server within Target’s internal network that they would log into remotely in order to manually collect dumps of stolen data over a period of two weeks.
Similarly, Neiman Marcus’s credit card processor informed them of a potential breach in mid-December, and a forensics firm confirmed they were breached in January. Whether or not the two breaches are connected is yet to be confirmed, but the timing lends itself to query. If the two stores used the same POS systems or provider, there’s a possibility the same attackers may have hit several different retailers with one attack.
Types of POS Malware and Stolen Data
According to US-cert.gov and research from Arbor Networks, one type of POS malware, Dexter (and its variant StarDust, or Dexter version 2), uses a memory scraping technique to find specific card data. Dexter parses memory dumps of POS software-related processes, searching for Track 1 and Track 2 data found on the magnetic stripes of payment cards, captured during transaction processing. Stardust extracts data from not only the system memory, but also internal network traffic.
KrebsonSecurity.com identified the type of malware used in the Target breach to be similar to BlackPOS, a piece of malware installed on POS devices that records credit and debit card data after being swiped. BlackPOS is designed to bypass firewall software. However, Target has yet to verify that the identified malware was indeed the culprit.
What is Track 1 and Track 2 data?
As seen in the figure below, Track 1 data includes Primary Account Numbers (PANs), customer names and other additional information like expiration date, service codes, and more.
Track 2 data includes PANs and additional data; this is most commonly used and read by ATMs and credit card checkers. Since Track 2 has less data, it requires shorter processing time.
PCI DSS (Payment Card Industry Data Security Standard) requirement 3.2.1 prohibits companies from storing the full contents of any track from the magnetic strip on the back of cards, data found on a chip or elsewhere, as attackers can steal the data and ultimately reproduce and sell payment cards.
PCI DSS Compliance and Two-Factor Authentication
So how do attackers infect POS systems with this type of malware? Nobody knows for sure yet. One way attackers may have gained access is by taking advantage of weak administrative passwords, accessing networks remotely via VPN (Virtual Private Networks) or RDP (Remote Desktop Protocol) secured by only a username/password.
If this was the case, adding another layer of security by integrating two-factor authentication with VPN or RDP logins may have prevented unauthorized network access, ultimately protecting business-critical POS systems from malware infection.
Even if credentials were stolen via a phishing email, attackers still wouldn’t be able to access systems without a secondary method of authentication with something they owned (like a mobile device).
Two-factor authentication is a requirement for any company dealing with credit card data, and a best practice for third-parties that support retail companies, particularly payment processors.
PCI DSS has been recently updated from version 2.0 to 3.0 late last year - find out how this update affects the requirement 8.3 that refers to two-factor authentication in our blog post, PCI DSS 3.0 and Two-Factor Authentication.
The Fallout: Paltry Post-Breach Sales, Subsequent Long Term Costs
Target’s data breach was the cause of a 2-6% decline as they warned investors a few weeks ago in the fourth quarter. Informationweek.com also reports that the company will close eight U.S. stores early this spring.
Long term costs might include reimbursements to payment card networks for credit card fraud/reissuance costs, legal fees, potential government fines, consulting and investigation fees, and any remediation costs, like offering free credit monitoring for affected customers.
Other costs include a potential hit to customer loyalty, as data breaches might weaken customer trust in handing over their personal and credit card data to companies that don’t provide the level of security required. However, Target may do well to remain transparent in how they intend to remedy the security challenge that arises from the investigation to redeem customer loyalty and trust.