What Is POS Malware? Some Examples of Point of Sale Malware From The Recent Past
The POS is the system through which payments are processed. Most payments are made through cards. So, criminals have been targeting this system to steal sensitive personal information from credit/debit cards so that the cards can be cloned for later use.
Stealing Payment Cards Data
Stealing payment cards information is a lucrative crime, criminals can create fake cards based on the information they have stolen and run up charges on those cards. Card issuing agencies like banks also have security systems in place. So, any unusual spending patterns are easily identified and the cardholder is alerted by the issuer even if the holder does not at once notice the unauthorized charge. The card is canceled and new cards are issued.
So, criminals are resorting to stealing card information en masse, from systems like ATMs, POS etc to have a continuous supply of cards to use.
Targeting the POS Systems of retailers like Target, KMart etc. gives criminals potential access to huge amounts of sensitive payment card information.
Initially, hardware devices were used to steal credit/debit card information, like hardware keyloggers. However, these techniques need physical access to the POS systems or terminals and involve a higher risk of the perpetrator being identified. So, thefts are now being done through software techniques.
These are Malware (Malicious Software) that penetrate POS systems exploiting security loopholes. They steal Track 1 and Track 2 data from payment cards. Track 1 and Track 2 data, encoded in the magnetic strips on cards, contain sensitive information like the cardholder name, the card number etc.
Though card data is secure and it is encrypted when being transmitted over a network, there is a small window of opportunity for POS malware. They can access the Track 1 and Track 2 data right when the card is swiped, while this data is in the RAM. This technique is called RAM scraping.
A Few of the Most Prominent POS Malware
There are a few identified POS malware that has been responsible for information theft and these are still out there, evolving constantly to try and avoid detection by security software.
This was identified in 2011, a trojan that installs itself as a service in Windows systems and then uses Perl regular expressions to collect track 1 or track 2 data from cards. This information is then collected into a text file for transmission.
Dexter is one of the most prominent amongst POS malware that has targeted numerous POS networks across the world. It is effective, efficient and fast. It collects Track 1 and Track 2 information using keyloggers. In 2012, it affected the POS networks of many major retailers.
Alina emerged in 2012, a malware that sits in infected systems, updates itself automatically and scans attached card readers to capture Track1 and Track2 data. It then encrypts the collected information to send it back to the attackers.
BlackPos is a stealth system that masquerades as a service of antivirus software on Windows and then begins to collect card data from connected POS systems. It was first identified in 2013, as part of a malware attack on the POS systems of Target and Home Depot.
This memory scraper malware was identified in 2013, and it affected around a 1000 retail businesses. It infected Windows Explorer to keep itself running continuously, but it now uses a keylogger. This malware was very active until 2014.
CenterPOS is a memory scraper that was identified by Trend Micro in 2015. It was located in a folder that also contained other POS malware like Alina and BlackPOS. This malware was targeting SMBs. Iterating through running processes to collect information, it sends the data back to the hacker using the HTTP POST request.
FastPOS was discovered in 2016. It is transmitted through file sharing or by URL redirection. It has a keylogger to collect and store keystrokes and also has a RAM scraper to read payment card information.
MalumPOS is a malware discovered by Trend Micro in 2015 that affects Oracle MICROS payment systems. Coded in Delphi programing language, it masquerades as the NVidia Display Driver. It collects Track 1 and Track 2 data from card swipes and stores all the information in the system, which it then sends to cybercriminals.
Securing POS Systems
There are many techniques to make POS systems and card transactions more secure. Using EMV chip cards and POS systems that can process such cards can offer an additional layer of protection. Many good POS systems like Shopify POS include features that enhance security and protect customer data.
Shopify POS is Level 1 PCI DSS compliant, so the system is quite secure. Shopify POS offers retailers the option of card readers capable of reading EMV chip cards. Shopify also requires POS System users to log in using user PINs, to prevent unauthorized access to the system.