These days, you can’t go into a store or mall without being asked to use a point of sale (PoS) system during checkout, versus an antiquated cash register. PoS systems are terribly convenient; some allow you to use the system by simply touching the machine with your credit card or phone. However, they are not known for their security and, in fact, are infamously insecure. With PoS systems so ubiquitous and used daily, how do we protect ourselves from exposure to risk as operators and clients? Breaches, such as the Target breach of 2013, saw the personal information of approximately 70 million customers stolen during the holiday season due to the introduction of the BlackPoS malware variant.
Figure 1: Advertisement for BlackPOS on a Russian forum in 2015
Notable and recent examples of breaches related to PoS malware include the United Parcel Service, where the BackOff PoS malware variant was observed, or in cases such as those associated with CherryPicker and AbbaddonPoS and most recently the case of Hyatt hotels. In November 2015, iSIGHT Partners began warning retailers of what it called the most sophisticated piece of PoS malware that it had ever seen. According to iSight, ModPOS, which they believe has been active since 2013, is far more capable than many of its peers in that it goes well beyond typical banking card scraping. Our research corroborates the timeframes noted in earlier reports with respect to ModPOS being discussed in the underground. ModPOS has already breached several U.S. retailers and that the code itself is modular meaning that it is contains modules such as:
- A keylogger;
- An uploader/downloader;
- Plugins for scraping credentials;
- The ability to gather local and network system information.
So what can retailers do to protect themselves and their customers from PoS malware, such as ModPOS? To begin with retailers can:
- Invest in understanding their risk postures and attack surface internally (through audit and assessment), and externally through penetration testing, assessment, and red teaming exercises all of which provide different degrees of insight into an organization
- Invest time in assessing the guidance given and provided to trusted third parties who are not employees, yet retain access to critical systems that are linked to the enterprise network. In doing so risks such as those identified during the Target breach may be minimized, mitigated and even eradicated;
- Invest in PoS systems and networks as though they are vital extensions of their enterprise environments. The technology that is used to protect the enterprise should be leveraged on the PoS systems and networks where possible and, if not possible, comparable alternates should be sought out;
- Invest in vigilant cyber threat intelligence, specifically cyber situational awareness;
- Adopt technologies that are becoming more commonplace, such as chip and pin;
- Share intelligence with their peers, for example, in the form of an ISAC for the betterment of their industry.
There are many ways through which retailers can protect themselves from PoS malware, just as there are many ways through which they can protect themselves from other forms of malicious code and content. Putting these practices and technologies in place with solid teams operating strong programmatic elements is key in the successful mitigation of this type of risk for the organizations and their clients.