Malware to steal data from POS systems is widely available

On December 22, 2017, Jason’s Deli was notified by payment processors that credit card security personnel had informed it that a large quantity of payment card information had appeared for sale on the “dark web,” and that an analysis of the data indicated that at least a portion of the data may have come from various Jason’s Deli locations.

From initial investigation findings, criminals deployed RAM-scraping malware on a number of point-of-sales (POS) terminals at various corporate-owned Jason’s Deli restaurants starting on June 8, 2017. While this information varies from card issuer to card issuer, full track data can include the following: cardholder name, credit or debit card number, expiration date, cardholder verification value, and service code

According to ITRC Breach ID- ITRC20180116-01 from DataBreachReport_2018 almost 2,000,000 records reported with this breach.

PoS Device and Network Setup Weaknesses

PoS systems are difficult to secure, mostly because of their role and exposed location in the network. They handle critical information and at the same time require being managed from remote locations, a scenario typical of corporate environments that implement software package management solutions.

Common PoS Device Malware and How They Scrape and Send Credit Card Information Back to Attackers

To comply with PCI DSS requirements, the payment card industry uses a set of security standards that enforce end-to-end encryption of sensitive payment data captured from payment cards when this data is transmitted, received, or stored. However, when the information is first read from the card, it can be found inside the PoS device’s memory in unencrypted form. PoS malware exploit this by capturing the payment card information directly from the memory; this behavior is known as “RAM scraping.” Several malware families that target PoS devices are known to exist in the wild. These families are
all widely available in underground marketplaces and have been used in various attacks.

  • vSkimmer
  • Dexter
  • Decebel
  • BlackPOS

What Should Consumers Do?

While consumers cannot control whether or not their favorite business establishments are secure against PoS malware, they can take some steps to ensure that their accounts are not put at unnecessary risk.

  • Check Your Bank and Credit/Debit Card Statements
  • Ask for a Chip-and-PIN Card


How to Secure Networks Against PoS System Breaches & Practical steps to take

Implementation of PCI DSS

  • Install and maintain a firewall to facilitate network segmentation
  • Change default system passwords and other security parameters
  • Encrypt transmission of cardholder data across open, public networks
  • Encrypt stored primary account number (PAN) and do not store sensitive authentication data
  • Use and regularly update security software
  • Use intrusion protection system (IPS) at critical points and the perimeter of the CDE
  • Use file integrity and monitoring software
  • Use strong authentication including two-factor authentication for remote systems
  • Monitor all network and data access (SIEM)

Test security systems, perform penetration testing, and implement a vulnerability management program

Maintain security policies and implement regular training for all personnel

Implement multi-layered protections including outside the CDE. Typically, the attacker needs to traverse multiple networks and layers of security before reaching a POS system. Any single layer that the attacker is unable to bypass prevents successful data exfiltration.

Implement P2PE or EMV (“Chip and PIN”)

Increase network segmentation and reduce pathways between the CDE and other networks.

Maintain strict auditing on connections to between the CDE and other networks. Reduce the number of personnel who have access to systems that have access to both the CDE and other networks.

Employ two-factor authentication at all entry points to the CDE and for any personnel with access rights to the CDE

Employ two-factor authentication for all system configuration changes within the CDE environment

Implement system integrity and monitoring software to leverage features such as system lockdown, application control, or whitelisting