Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

07:30 PM
Connect Directly

Black Friday Security: Brick-and-Mortar Retailers Have Cyber Threats, Too

PoS malware, ways to trick new payment technology, and zero tolerance for down-time or slow-time make for a stressful combination.

UPDATED: Cyber Monday sports a techie handle, but good ol' Black Friday is fraught with plenty of cybersecurity challenges as well. When shoppers hit the mall worrying about long lines and hot deals, security pros need to worry about point-of-sale (PoS) malware, fraud, new mobile payment technology, and the recent EMV liability shift.


PoS Threats On the Rise

Although PoS malware got the most attention in the summer of 2014, Trend Micro found that, in the third quarter of 2015, PoS malware increased by 66% in the third quarter of 2015 and that attackers were quite indiscriminate about their targets. Forty-five percent of it was hitting small- to medium-sized businesses.

Larger franchises are not out of the woods though. Just last week, a hospitality brand, Starwood Hotels was breached by PoS malware, exposing payment card data of customers at 54 of its hotel properties. The precise culprit has not been revealed, but the FIN5 gang has been using RawPOS to hit hotels all year.

Plus, there's new PoS malware on the scene:

  • Cherry Picker, discovered by Trustwave this month, has been around since 2011, but has remained nearly undetected in all that time because of its sophisticated encryption and obfuscation techniques.
  • AbaddonPOS: discovered by ProofPoint, also has elite obfuscation techniques, including tricks to wipe evidence of itself away. It also includes anti-analysis capabilities to frustrate researchers. Abaddon has spread through the Vawtrak malware.
  • ModPOS: described this week by iSIGHT Partners as "the most sophisticated PoS malware ever," it's more than just a card scraper. It's modular malware with a keylogger, uploader/downloader, and an assortment of plugins -- and every module operates in kernel mode where it's hard to find and hard to eject.

The immediate concern with PoS threats are that they scrape payment data stored upon them. However, researchers are also finding that attackers are also using PoSes as an entry point into the rest of the network.

"One of the reasons that PoS devices have been such an effective attack surface is that many are left unprotected without any resident anti-malware security," says Mark Parker, senior product manager at iSheriff. "These devices were long considered 'dumb terminals' and that reputation has been slow to change while the devices themselves have become more capable and in fact are often scaled down Windows machines."

[Once the systems at your brick-and-mortar shop are locked down, make sure your online shop is ready for the rush. Read "Cyber Monday: What Retailers & Shoppers Should Watch For."]

"The key to protecting cardholder data is to practice security beyond compliance by not leaving anything behind for hackers to steal," says J.D. Oder, CTO and senior vice president of research and development, Shift4 Corp. "When EMV, point-to-point encryption, and tokenization are properly implemented in a merchant environment, sensitive payment card data doesn’t enter their systems and a 'cardholder data environment' ceases to exist outside of a secured payment device."

Oders says payment card data is safest when it's hosted offsite, rather than at the retail location. "This leaves no payment data in the merchant environment to be stolen and used by hackers, even if malware were to enter the POS or PMS," he says. "After all, they can’t steal what you don’t have."

He also recommends encrypting data in-memory as well as full point-to-point encryption to protect the data in transit.


More EMV Adoption Not An Immediate Cure

Expanded adoption of EMV technology should theoretically be a positive change for brick-and-mortar security this season.

EMV, or chip-and-PIN, is a replacement for the old magnetic stripe cards. Stolen magstripe data can be turned into counterfeit credit cards, and skimmers make it very easy to steal. Yet, in the US, EMV adoption was very sluggish because both merchants and card issuers were holding out for the other to make the first move.

But last month the EMV "liability shift" took effect. So in the event of payment card fraud, whichever party -- merchant or card issuer -- that has the lesser security is the one to be stuck with liability. So if the card issuer has put an EMV chip in the card, but the merchant has not updated their PoS terminals to accept EMV, then the merchant eats the cost; and vice versa.

More chip-and-PIN cards will be in use at stores this holiday season, which could be a good thing. However, experts say not to expect an improvement overnight.

"I would tell retailers EMV is going to complicate their life" this Black Friday, says Rajesh Sharma, vice president of banking and payment applications at INSIDE Secure. As customers and customer service reps alike become familiar with the technology, lines at the register may move slowly. A slow line isn't going to be tolerated for long. So if an EMV purchase fails on the first attempt, the salepeople may quickly resort to swiping the magstripes just to keep the line moving.

"From the retailer's point-of-view, it's all about risk-reward," says Suni Munshani, CEO of Protegrity. "If security gets in the way, if some infrastructure gets in the way, they'll rip it out."

Criminals know that all too well, he says, and they'll manipulate that fact with social engineering, which untrained workers rarely recognize. "It's frightfully expensive to train temporary staff," he says.


Mobile Payment Schemes Can Be Manipulated

On top of EMV, retail sales reps have to learn all about payments made with mobile devices through systems like Apple Pay, Android Pay, and Samsung Pay.

Thirty-nine percent of respondents to a survey conducted by INSIDE Secure plan to make in-store purchases with a mobile device this holiday season. Plus, 17% of those who did not make mobile payments last year are planning to use the technology this year.

The hold-outs, according to the survey, cite security and privacy as their key reasons for declining to use it: 70% were concerned about fraud, and 70% about the privacy of their transaction data.

However, these technologies are actually doing quite a lot right when it comes to security. Payment technology experts praised Apple Pay when it was released for tokenizing payments, never communicating credit card data to the merchant, and adding biometrics to the process.

That doesn't mean it's fraud-proof. Mobile payment technology is "definitely something we've seen criminals more interested in in the last year," says John Miller, director of ThreatScape Cyber Crime at iSIGHT Partners.

Cybercriminals are not exploiting vulnerabilities in the mobile payment technology per se, says Miller, but they're compromising weaknesses in the enrollment process. They simply load stolen payment account data into one of those mobile payment systems -- which they can do, because the banks don't always do a very good job of making sure that the device to which the account is provisioned is actually a device owned by the accountholder. Thus, an attacker can walk into a store and use their Droid or iPhone to make a purchase with someone else's money.

Apple Pay was only released in September 2014, and by March of 2015, millions of dollars of fraudulent purchases had already been made in this way with Apple Pay. 

"[Attackers are] doing in-store fraud despite EMV," says Miller, "despite all those protections."


No tolerance for down-time

"The recovery time for retail is very, very small," says Munshani. "This is when they make the most revenue."

So obviously, any denial of service -- via an attack, a system failure, or a bad patch -- is unacceptable. The concern is if a zero-day PoS vulnerability hits -- one that threatens a data theft, not a denial of service -- will retailers simply ignore it, and say 'remind me in January'?

"I don't think that would be the response anymore," says Miller. He says that retailers' awareness of security and its importance has improved enough that they would not simply ignore a critical threat. "They would want to clean it up, but they might not know how."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-14
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-10751. Reason: This candidate is a duplicate of CVE-2020-10751. Notes: All CVE users should reference CVE-2020-10751 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
PUBLISHED: 2020-08-14
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.