Vulnerabilities / Threats

07:30 PM
Connect Directly

Black Friday Security: Brick-and-Mortar Retailers Have Cyber Threats, Too

PoS malware, ways to trick new payment technology, and zero tolerance for down-time or slow-time make for a stressful combination.

UPDATED: Cyber Monday sports a techie handle, but good ol' Black Friday is fraught with plenty of cybersecurity challenges as well. When shoppers hit the mall worrying about long lines and hot deals, security pros need to worry about point-of-sale (PoS) malware, fraud, new mobile payment technology, and the recent EMV liability shift.


PoS Threats On the Rise

Although PoS malware got the most attention in the summer of 2014, Trend Micro found that, in the third quarter of 2015, PoS malware increased by 66% in the third quarter of 2015 and that attackers were quite indiscriminate about their targets. Forty-five percent of it was hitting small- to medium-sized businesses.

Larger franchises are not out of the woods though. Just last week, a hospitality brand, Starwood Hotels was breached by PoS malware, exposing payment card data of customers at 54 of its hotel properties. The precise culprit has not been revealed, but the FIN5 gang has been using RawPOS to hit hotels all year.

Plus, there's new PoS malware on the scene:

  • Cherry Picker, discovered by Trustwave this month, has been around since 2011, but has remained nearly undetected in all that time because of its sophisticated encryption and obfuscation techniques.
  • AbaddonPOS: discovered by ProofPoint, also has elite obfuscation techniques, including tricks to wipe evidence of itself away. It also includes anti-analysis capabilities to frustrate researchers. Abaddon has spread through the Vawtrak malware.
  • ModPOS: described this week by iSIGHT Partners as "the most sophisticated PoS malware ever," it's more than just a card scraper. It's modular malware with a keylogger, uploader/downloader, and an assortment of plugins -- and every module operates in kernel mode where it's hard to find and hard to eject.

The immediate concern with PoS threats are that they scrape payment data stored upon them. However, researchers are also finding that attackers are also using PoSes as an entry point into the rest of the network.

"One of the reasons that PoS devices have been such an effective attack surface is that many are left unprotected without any resident anti-malware security," says Mark Parker, senior product manager at iSheriff. "These devices were long considered 'dumb terminals' and that reputation has been slow to change while the devices themselves have become more capable and in fact are often scaled down Windows machines."

[Once the systems at your brick-and-mortar shop are locked down, make sure your online shop is ready for the rush. Read "Cyber Monday: What Retailers & Shoppers Should Watch For."]

"The key to protecting cardholder data is to practice security beyond compliance by not leaving anything behind for hackers to steal," says J.D. Oder, CTO and senior vice president of research and development, Shift4 Corp. "When EMV, point-to-point encryption, and tokenization are properly implemented in a merchant environment, sensitive payment card data doesn’t enter their systems and a 'cardholder data environment' ceases to exist outside of a secured payment device."

Oders says payment card data is safest when it's hosted offsite, rather than at the retail location. "This leaves no payment data in the merchant environment to be stolen and used by hackers, even if malware were to enter the POS or PMS," he says. "After all, they can’t steal what you don’t have."

He also recommends encrypting data in-memory as well as full point-to-point encryption to protect the data in transit.


More EMV Adoption Not An Immediate Cure

Expanded adoption of EMV technology should theoretically be a positive change for brick-and-mortar security this season.

EMV, or chip-and-PIN, is a replacement for the old magnetic stripe cards. Stolen magstripe data can be turned into counterfeit credit cards, and skimmers make it very easy to steal. Yet, in the US, EMV adoption was very sluggish because both merchants and card issuers were holding out for the other to make the first move.

But last month the EMV "liability shift" took effect. So in the event of payment card fraud, whichever party -- merchant or card issuer -- that has the lesser security is the one to be stuck with liability. So if the card issuer has put an EMV chip in the card, but the merchant has not updated their PoS terminals to accept EMV, then the merchant eats the cost; and vice versa.

More chip-and-PIN cards will be in use at stores this holiday season, which could be a good thing. However, experts say not to expect an improvement overnight.

"I would tell retailers EMV is going to complicate their life" this Black Friday, says Rajesh Sharma, vice president of banking and payment applications at INSIDE Secure. As customers and customer service reps alike become familiar with the technology, lines at the register may move slowly. A slow line isn't going to be tolerated for long. So if an EMV purchase fails on the first attempt, the salepeople may quickly resort to swiping the magstripes just to keep the line moving.

"From the retailer's point-of-view, it's all about risk-reward," says Suni Munshani, CEO of Protegrity. "If security gets in the way, if some infrastructure gets in the way, they'll rip it out."

Criminals know that all too well, he says, and they'll manipulate that fact with social engineering, which untrained workers rarely recognize. "It's frightfully expensive to train temporary staff," he says.


Mobile Payment Schemes Can Be Manipulated

On top of EMV, retail sales reps have to learn all about payments made with mobile devices through systems like Apple Pay, Android Pay, and Samsung Pay.

Thirty-nine percent of respondents to a survey conducted by INSIDE Secure plan to make in-store purchases with a mobile device this holiday season. Plus, 17% of those who did not make mobile payments last year are planning to use the technology this year.

The hold-outs, according to the survey, cite security and privacy as their key reasons for declining to use it: 70% were concerned about fraud, and 70% about the privacy of their transaction data.

However, these technologies are actually doing quite a lot right when it comes to security. Payment technology experts praised Apple Pay when it was released for tokenizing payments, never communicating credit card data to the merchant, and adding biometrics to the process.

That doesn't mean it's fraud-proof. Mobile payment technology is "definitely something we've seen criminals more interested in in the last year," says John Miller, director of ThreatScape Cyber Crime at iSIGHT Partners.

Cybercriminals are not exploiting vulnerabilities in the mobile payment technology per se, says Miller, but they're compromising weaknesses in the enrollment process. They simply load stolen payment account data into one of those mobile payment systems -- which they can do, because the banks don't always do a very good job of making sure that the device to which the account is provisioned is actually a device owned by the accountholder. Thus, an attacker can walk into a store and use their Droid or iPhone to make a purchase with someone else's money.

Apple Pay was only released in September 2014, and by March of 2015, millions of dollars of fraudulent purchases had already been made in this way with Apple Pay. 

"[Attackers are] doing in-store fraud despite EMV," says Miller, "despite all those protections."


No tolerance for down-time

"The recovery time for retail is very, very small," says Munshani. "This is when they make the most revenue."

So obviously, any denial of service -- via an attack, a system failure, or a bad patch -- is unacceptable. The concern is if a zero-day PoS vulnerability hits -- one that threatens a data theft, not a denial of service -- will retailers simply ignore it, and say 'remind me in January'?

"I don't think that would be the response anymore," says Miller. He says that retailers' awareness of security and its importance has improved enough that they would not simply ignore a critical threat. "They would want to clean it up, but they might not know how."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Government Shutdown Brings Certificate Lapse Woes
Curtis Franklin Jr., Senior Editor at Dark Reading,  1/11/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-01-18
TP-Link WDR Series devices through firmware v3 (such as TL-WDR5620 V3.0) are affected by command injection (after login) leading to remote code execution, because shell metacharacters can be included in the weather get_weather_observe citycode field.
PUBLISHED: 2019-01-17
** DISPUTED ** An issue was discovered in BMC PATROL Agent through 11.3.01. It was found that the PatrolCli application can allow for lateral movement and escalation of privilege inside a Windows Active Directory environment. It was found that by default the PatrolCli / PATROL Agent application only...
PUBLISHED: 2019-01-17
A spoofing vulnerability exists when a Skype for Business 2015 server does not properly sanitize a specially crafted request, aka "Skype for Business 2015 Spoofing Vulnerability." This affects Skype.
PUBLISHED: 2019-01-17
A Cross-site Scripting (XSS) vulnerability exists when Team Foundation Server does not properly sanitize user provided input, aka "Team Foundation Server Cross-site Scripting Vulnerability." This affects Team.
PUBLISHED: 2019-01-17
An information disclosure vulnerability exists when Team Foundation Server does not properly handle variables marked as secret, aka "Team Foundation Server Information Disclosure Vulnerability." This affects Team.