Point of Sale systems that take payments for goods and services for the hospitality and retail industries really serve as the point-of-strike for cybercriminals stealing credit card information. Applebee’s, a popular restaurant chain, is the latest to find malware on their PoS systems that infected more than 160 restaurants in Alabama, Arizona, Florida, Illinois, Indiana, Kansas, Kentucky, Missouri, Mississippi, Nebraska, Ohio, Pennsylvania, Texas, and Wyoming. The malware was designed to secure names, credit or debit card numbers, expiration dates, and card verification codes.
Applebee’s is not alone in this predicament. Other companies have suffered the same indignities through their PoS systems, and the trend will continue.
Point-of-Strike
Cybercriminals have scoured the computer systems for the hospital and retail industries and found an easy way into the store network through the PoS workstation. This part of the system doesn’t check when someone has approved access to perform critical functions, as discovered by researchers at ERPScan.* The red cloak is raised, and cybercriminals just need to connect a $25 Raspberry Pi to the network to upload malicious code to come charging into the network.
Malicious software like PoSeidon, Alina, vSkimmer, Dexter, and FYSNA are uploaded to gather credit card information and send it back to the cybercriminal’s server. Another kind of point-of-sale malware discovered by researchers at Forcepoint hides inside DNS requests to steal credit card data. This UDPoS hides in a DNS request to steal credit card data, which makes it a little more stealth and harder to detect.
The other opening for cybercriminals is third-party suppliers that subcontract with restaurants and retailers. Those organizations, in turn, hire other companies creating a long chain of providers that handle sensitive data. It is in this chain that credit card information is potentially exposed.
Corralling the Bull
The only way to combat this barrage of cyberattacks is to continuously monitor PoS devices and install patches regularly. In the case of the Forever 21 PoS breach, for example, the fraudsters took advantage of some PoS devices that were not updated with the latest security.
Neutralizing the credit card information after a breach is another way to combat fraudulent transactions. Restaurants, retailers, and other companies offering services in the card-not-present (CNP) channel need to identify customers by means that don’t rely on the – potentially stolen – static data. By analyzing the user’s online behavior through hundreds of other identifiers that hackers can’t imitate or steal, the stolen data is not useful anymore.
Multi-layered security solutions that include passive biometrics and behavioral analytics allow vendors to protect customers whose data was stolen while avoiding fraud from happening in their environment.
*https://www.forbes.com/sites/forbestechcouncil/2017/09/27/the-vulnerabilities-of-a-pos-system/2/#6fb421f25973
About the Author
Ryan Wilk is the Vice President of Delivery for NuData Security. Previously, he was the manager of Trust and Safety at StubHub and spent eight years with Universal Parks & Resorts in various eCommerce roles. NuData Security predicts and prevents online fraud, protecting businesses from brand damage and financial loss caused by fraudulent or malicious attacks. NuData Security analyzes and scores billions of users per year and services some of the largest eCommerce and web properties around the globe.
