You may have heard an iconic line attributed to infamous bank robber Willie Sutton: When asked why he robbed banks, he responded by saying “because that’s where the money is.” Here we are in 2015, and the story is no different regarding the security of point-of-sale (POS) systems in retail environment. Criminals seek out these systems because they know that’s where they can gain access to a large number of records of customer data, specifically credit and debit card information.

How Do Cybercriminals Steal Customer Data?

Here are two common attack vectors and some details on what can be done to keep such systems mostly immune from attack:

1. Malware Infections

RAM-scraping malware that extracts magnetic stripe data directly out of the POS computer’s memory is the biggest concern facing retailers. This malware can be installed by an attacker who has gained access to the network via other means (such as compromised credentials, as in the case of the Target breach) or even social engineering. Given the open nature of retail environments and the high turnover rate of employees, there are other possible attack avenues, as well, such as the installation of malware directly onto the POS system via a thumb drive.

There are plenty of big-box retailers running highly vulnerable and unsupported Windows XP and Windows 2003 servers at this very moment. That’s not necessarily bad in and of itself, as long as there are compensating controls such as advanced malware protection and positive security white-listing systems that control what runs on the registers.

2. Exploiting Missing Patches

An attacker connecting the POS environment via an unsecured wireless network is a common attack. Once a foothold is gained, odds are that numerous patches are missing, offering flaws that can be exploited using a tool such as Metasploit. Again, retail systems often involve legacy programs or machines, which put them at risk. The last thing that any self-respecting system admin or retail software vendor will allow is the installation of service packs, hot fixes and related patches. With the risk of system outages due to risky software updates, there’s simply too much lose. Or is there?

Other Security Risks

It’s not uncommon for large amounts of cardholder data to end up in an unstructured fashion on mobile devices (e.g., in spreadsheet files, PDFs and the like), often unprotected in the event of loss or theft. I’ve heard plenty of stories about auditors, contractors and even software developers who have such data in their possession. All it takes is one car being broken into or one bag being lost at the airport to make a customer data breach reality.

The solution? Encrypt laptops, phones, tablets and any other mobile storage media. Given all the hands in the pie in large retail enterprises, encryption is likely not enough. A proven control that can really help lock down cardholder data is a data loss prevention (DLP) measure, which keeps the data from ever leaving its secure location to begin with.

If it’s not one of the above items exposing critical systems and sensitive information, odds are very good that it will be some other predictable security flaw such as a weak password or physical security vulnerability. There’s always a chance that other unrelated corporate systems and applications can be breached, leading to the exposure of cardholder data. Of course, there are third-party vendors with all of their network systems and applications that you have to consider, as well. As we saw in the Target breach, all it takes is one vendor that’s not all that security-savvy to lead to a world of hurt.

What Can Retailers Do to Protect Data?

There are additional security measures retailers can use to lock down their vulnerable POS environments. These include:

  • File integrity monitoring that checks for system changes;
  • Securing card readers and point-to-point encryption, which ensures that cardholder data is encrypted in transit;
  • Installing firewalls and intrusion prevention systems;
  • Limiting outbound Internet access for POS systems and disabling remote inbound access.

In the end, if people looking to commit such crimes against retailers really want in, they’re going to find a way. It’s up to retailers to make their systems as secure as possible. The thing that makes it so difficult is that the criminals have nothing but time; those working in IT and security for retailers don’t. But with periodic system upgrades, consistent security evaluations and open communication among involved parties, secure customer data can be closer than ever before.

More from Malware

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language. For example, the sample analyzed in this report was not detected as malicious in the…