Point-of-Sale Malware: Continued Threat to Businesses and Consumers

TLP: WHITE | Point-of-Sale (PoS) malware breaches attracted wide media coverage throughout 2014 when at least thirteen major U.S. retailers suffered payment card data breaches, the largest affecting approximately 110 million customers. Although PoS incidents have largely remained out of the headlines thus far in 2015, payment card breaches have continued month to month and many new variations of PoS malware have been identified by law enforcement and security researchers. The NJCCIC assesses data breaches resulting from PoS malware will continue to occur at a steady pace throughout 2015 and pose a persistent threat to public and private sector organizations, particularly small to mid-size businesses that lack the cybersecurity resources to prevent, detect, and mitigate these threats. The industries most targeted by PoS malware include retail, food services, healthcare, education, and tourism. While the ongoing implementation of the more-secure Europay, MasterCard, & Visa (EMV) cards, also known as chip-and-PIN, is expected to mitigate PoS vulnerabilities and reduce fraud in the U.S., many retailers and cardholders will remain vulnerable until all EMV cards are issued and PoS terminals throughout the country are updated to accept EMV transactions.

THREAT OVERVIEW

PoS malware is malicious software designed to steal credit and debit card data from retail payment processing systems. Since 2013, there has been a dramatic rise in the number of PoS malware variants, and the tools and knowledge to conduct these attacks are becoming more widely available through online criminal forums. Ready-to-use PoS malware kits and the widely reported success of previous attacks have made PoS systems an attractive target and lucrative undertaking for criminals across the globe. Additionally, the ‘swipe-and-sign’ process used to complete transactions has been in place since the 1970s and is inherently insecure.

  • Market research firms estimate that only 70 percent of U.S. credit cardholders will receive the new EMV cards by the end of 2015. Moreover, only 50 to 60 percent of PoS terminals throughout the U.S. are expected to be capable of accepting EMV transactions.
     
  • The new cards contain a microchip which authenticates transactions by generating a new digital signature each time the card is used. If criminals attempt to clone EMV cards, any transactions involving the use of the counterfeit cards would be denied due to the lack of a digital signature. However, until all PoS terminals are upgraded, even those with the new EMV-cards will continue to complete transactions with the traditional, and vulnerable, magnetic strip. A number of Western counties, including Canada, France, and the United Kingdom, have seen reductions in fraud since adopting the new EMV standard.

DOWNLOAD FULL ANALYSIS

Contact Information
Any agency with comments or questions about this document should contact the NJCCIC at njccic@cyber.nj.gov.

Traffic Light Protocol: WHITE
TLP: WHITE INFORMATION MAY BE DISTRIBUTED WITHOUT RESTRICTION