Payment Card Data Theft At The POS - Time To Knuckle Down

Recently, I wrote a piece highlighting some of the startling data released on the true costs of fraud published in a report by Lexis Nexis. This report examined the costs of fraud across a number of dimensions including channel, payment method, merchant type and location, providing a great view on the true scope of the issues now confronting the payments industry. Against this backdrop, a new report on POS (Point of Sale) Malware issued by Trend Micro at the recent RSA Conference caught my attention. The report takes an in-depth look at the various tools and tactics currently powering the cybercrime wave that is making daily headlines and impacting tens of millions of consumers via data breaches at major retailers including Target and Home Depot.

The Trend Micro report focuses on the modern techniques of RAM-scraping malware able to collect card data from the Random Access Memory of a payment terminal or computer’s memory, and the evolution of attack vectors with names like Rdasrv, BlackPOS, Alina and Dexter that have been infecting payment systems over the past five years. The report also highlights that this latest cybercrime wave also represents an evolutionary shift from physical approaches of card theft and skimming to an “industrialized” form of automated, autonomous and anonymous data theft from system-level breaches, attacks that card-based technology such as EMV/Chip & Pin alone will not protect us from. Unfortunately this type of crime is here to stay, for as the author says, “Cyber-criminals steal credit card data because it is quick and lucrative” and so we must ask ourselves, what can be done to thwart this latest fraud vector?

The Trend Micro report highlights that the U.S. is far in a way, the largest target and victim of POS malware attacks representing nearly 74% of identified infections, principally in the retail sector (67%). Whilst this is shocking, we shouldn’t be surprised, seeing that the U.S. is the single largest card market in the world and still relies on decades-old mag stripe card technology. What should be surprising is the fact that smaller retailers and merchants who aren’t expected to be experts in system security or maintaining PCI Data Security Standards (PCI DSS) and would appear to be the most vulnerable, aren’t the prime targets for POS Malware attacks, it’s the big retailers like Target and Home Depot. These enterprises have significant resources invested in security and IT, yet found themselves unprepared. Clearly, security protocols and processes need to be improved, as highlighted by the key recommendations from the Trend Micro report. 

The real problem is that many of the companies involved will be able to state that their security architecture does conform to “best practice” guidelines. And therein lies the crux of the issue. Industry guidelines and recommendations fail to keep pace with the evolution of sophisticated fraud. Even one of the key recommendations of the Trend Micro report highlights that “two factor authentication”(“2FA”) should be added to production deployments. Whilst 2FA is definitely more secure than username/passwords, the problem is that 2FA is woefully inadequate in certain situations. 2FA (hardware token) was demonstrably compromised by Man-in-the-Middle (“MitM”) attacks as far back as 2006 in Singapore , and again was demonstrably powerless to counter Man-in-the-Browser (“MitB”) attacks in 2007 (hardware tokens and digital certificate) in Ireland. Whilst the industry has recognized this and guidelines have been “upgraded” to recommend Multi-factor Authentication (MFA), once again this is where the guidelines fail us. Implementations today that “comply” with best practices and MFA include weak interpretations of what MFA is (a separate issue), and fail to recognize that any form of authentication alone is powerless to defend against MitB. To successfully prevent a MitB attack on a transaction, the authentication of the individual and the transaction details must be carried out at precisely the same time. 

If we are ever to come to terms with sophisticated fraud, guidelines cannot be static and best practices must actually be just that, “best practices”. There is no point in a lowest common denominator approach, solutions must be highest common factor and independently certified to meet the highest standards, and absolutely must be capable of addressing the “relevant” risk to a transaction, in real-time and before the fraud can be perpetrated (different transaction types have different risk profiles).

In the case of the POS Ram scrapers, the objective is to steal tracks 1 & 2 from the card. However, the theft of such data can be rendered worthless to the fraudster if at the time of a transaction occurring, a real-time, invisible proximity correlation check is carried out. These correlation checks validate the origination location of the card transaction and the location of the genuine card holder by using a “trusted” device (i.e., cell phone) as a proxy for the customer’s identity. Such an approach is complementary to EMV, HCE and Tokenization. It also means that an individual can travel to any country, irrespective of whether or not EMV is deployed, and not have their transaction declined (a huge frustration for the customer which can cause significant inconvenience and distress).

This report sheds new light on the hidden, dark world of POS Malware, software able to exploit or circumvent many of today’s best security systems. Just as the fraudsters have evolved their attacks from physical cards to digital card data, so too will they evolve to adapt to security changes. Compound this with emerging new payment technologies and channels such as contactless payments (NFC/RFID), and the cat and mouse game will not end. Defense strategy must be dynamic and constantly evolve as sophisticated fraud evolves. POS fraud is here to stay for the foreseeable future. It’s time to break this cycle. It’s time to knuckle down.