Skip navigation

Effective October 28, 2019 Duo Security will be transitioning to Cisco's Privacy Statement. View the Duo Privacy Data Sheet.

Industry News

U.S. Gov Recommends 2FA for POS Remote Access Security

An official US-CERT alert has been released by the U.S. Depart. of Homeland Security warning against a new family of point-of-sale (POS) malware, and recommending the use of two-factor authentication for remote desktop access, including with VPNs (Virtual Private Networks).

Named “Backoff,” the advisory states that the malware has been used in several POS data breach investigations. Given the timing and ubiquity of a recent string of retail industry breaches (Target, Neiman Marcus, Michaels, Sally Beauty, P.F. Chang’s, etc.), I wouldn’t be surprised if this malware strain was related, particularly because certain U.S. agencies were involved in the research and reporting - including the U.S. Secret Service.

Research was also conducted by U.S. partner, Trustwave Spiderlabs. They published a more technical blog with a detailed overview of the malware capabilities.

What does the malware do? A few things:

  • Memory-scraping for track data (primary account numbers, names, expiration date, service codes, etc.)
  • Keystroke logging (can steal passwords)
  • Command & control (C2) communication (sending stolen data to their servers)
  • Injecting malicious stub into explorer.exe (the malware decrypts and copies a new instance of the malware before running it if it detects that the original malware is not running; rendering it pretty persistent)

Naturally, this malware can steal credit card data and personal information from POS applications, as well as payment terminals via memory scraping. The U.S. alert recommends a defense in depth approach for a few different categories, including remote desktop access, network security and cash register and POS security.

For remote desktop access, the alert recommends two-factor authentication when accessing payment processing networks, as well as for any remote desktop access. Even if a virtual private network (VPN) is used, the alert states it’s important to implement 2FA to protect against keylogger or credential-dumping attacks.

For POS security, the alert also recommends assigning strong passwords and using two-factor authentication ‘where feasible.’ A DarkReading.com article on the malware also states that “two-factor authentication is a must.”

And yet another article from NYTimes.com, Checking In From Home Leaves Entry for Hackers, interprets the report’s recommendations as:

The report also suggests segregating crucial systems like in-store payment systems from the corporate network and making “two factor authentication”— a process by which employees must enter a second, one-time password in addition to their usual credentials — the status quo.

While there appears to be a mass consensus that two-factor authentication should be the status quo, the technology continues to be misperceived and somewhat oversimplified by some writers. A one-time password (OTP)-based method of 2FA is not the only and most secure method, as I wrote about recently in Answer to OTP Bypass: Out-of-Band Two-Factor Authentication.

The POS hacking methods and malware have been around for some time, and while they may vary in capabilities over time, the one constant remains - credential theft buys them access to retailer networks and credit card data, while two-factor authentication puts a hard stop to it. Find out more by reading our guides and case studies, or watch how-to videos and webinars in our Two-Factor Authentication Resources.