October 1, 2015 marked the deadline set by credit card issuers to shift liability for fraudulent activity from card issuers or payment processors to the party that is the least Europay-Mastercard-Visa (EMV) compliant during a fraudulent transaction. In order to be EMV-compliant, retail merchants should, at a minimum, be switching to EMV card readers that are capable of accepting chipped credit cards.
However, switching to the new EMV standard does not eliminate the danger of traditional security threats like Point of Sale (POS) malware. In addition, EMV itself might not make economic sense for all merchants. Check out this blog for some business perspective on why EMV chip-enabled credit card processing is taking so long to adopt in the US.
The new, chipped cards are definitely more difficult to counterfeit than traditional cards (though a recent case showed that this is not impossible [1,2]). However, since there is no requirement that new card readers encrypt card data before it reaches POS random access memory (RAM), it might still be possible for RAM scraping malware to extract account numbers and expiration dates even if merchants are using EMV card readers. These stolen account numbers can then be used by cybercriminals in card-not-present transactions (for example, e-commerce) or at locations that still use magnetic stripe readers (without CVV verification).
To better protect account numbers from such RAM scrapers, some payment solutions are utilizing tokenization and point-to-point encryption (P2PE). Payment tokenization is the process of replacing the account number with another non-sensitive value that can be mapped back to the actual payment details. However, the actual implementation of tokenization can vary from vendor to vendor, which can lead to weaknesses in specific implementations of tokenization.
In general, tokenization prevents (or at least reduces the likelihood of) account numbers being stored in the RAM of POS terminals. Tokens can be single use, short-lived or long-lived. However, tokens that can be used multiple times (potentially) leave the door open for attacks against weak implementations where an attacker might discover a way to reuse tokens. In that case, it might still be possible for malware to scrape for tokens.
P2PE makes it a lot more difficult for malware to scrape account numbers. Systems that use P2PE typically encrypt payment details directly on the card-reading device so that this information is not accessible to even the POS terminals themselves. In order to compromise encrypted card data, attackers would need to compromise the actual card-reading hardware device. Since different vendors use different hardware devices, attacks on the hardware would only yield returns on a small subset of the POS market. With non-encrypted data, RAM scrapping malware can target a broad swath of POS systems; however, hardware-specific attacks require a large time investment and typically yield limited returns.
Despite the October 1st deadline and vendors starting to use tokenization and P2PE, a recent report  states that only 27% of merchants have upgraded to EMV card readers and only 60% of cardholders have received chipped cards. Even though there is movement toward more secure payment infrastructure, there is still a long way to go before even known POS malware is rendered ineffective.
In addition, POS malware has typically targeted Windows-based POS terminals. However, POS terminals based on Apple’s iOS and Google’s Android OS have been gaining market share. The security models on these mobile operating systems have, thus far, raised the bar high enough that widespread attacks against those POS systems have not yet occurred. However, this may just be a matter of time, so it is important that we understand how POS malware operates.
How does POS Malware Work?
Payment card data is most vulnerable when it is in memory as this is where it is least protected. This makes POS RAM scrapers very successful at stealing data. To keep data safe during transit, i.e. when it is passed between systems for processing a payment, it should be encrypted. If it is not, then attackers have yet another way capture/steal card data.
- Vulnerable Software: When POS systems are configured with vulnerable versions of POS software, this opens the door to attack. When POS systems are purchased from vendors, they come with vendor-specific software that may have built-in vulnerabilities. Attackers can leverage these vulnerabilities to compromise the POS system and access credit card data.
- Abusing Remote Access Functionality: According to investigations of multiple breaches, attackers often obtain access to data by utilizing a remote administration utility using default credentials. These default credentials are added during the installation of POS software. Using a RAT and default credentials, an attacker can easily breach POS systems.
- Phishing: A very common & effective method of infection, which is used to distribute a lot of POS malware. Phishing emails are sent to selected targets and malware is delivered either as malicious attachments or as embedded malicious links.
- Vulnerabilities in Host OS of POS Systems: Infecting the Operating System that powers ATMs/POS terminals with malware capable of stealing financial data is very efficient, as cyber crooks only need to compromise a few devices to collect credit card data and sell it in the underground market.
- Insider Threats: A malicious insider can cause quite a bit of damage to the enterprise as he/she has authorized access to POS systems and can infect the environment with POS malware. In some cases, malicious employees plug flash drives containing malware into servers containing sensitive data to compromise the payment systems.
Attackers utilize one or more of the various attack methods to compromise POS systems and infect them with POS malware to target and capture specific card data and exfiltrate the data to another system, possibly a CnC.
While EMV and P2PE are both steps in the right direction, POS remains a target for an obvious reason: financial gain. We need to keep in mind that the POS terminal is a computer, subject to malware attacks like any other computer. Understanding the attack methods will hopefully help reduce the effectiveness of attempted exploits on retailer’s networks. In addition, payment data should not be stored at all. If credit card data needs to stored, it should be encrypted with symmetric encryption to ensure that it remains secure.
About the Authors
Eddie Lee is a seasoned security professional with expertise in a variety of areas including: application security, security tool development, and reverse engineering. He occasionally speaks at security conferences and has been a part of a two-time 1st place CTF team at DEFCON. At AlienVault, he is a Security Researcher working with the Labs team.
Krishna Kona is a Security Researcher with 8 years of experience working in the security field. He has a Masters degree in Information Security and his interests include malware analysis, penetration testing and proactive threat research. At AlienVault, he is a Security Researcher working with the Labs team.