UPDATED: Cyber Monday sports a techie handle, but good ol' Black Friday is fraught with plenty of cybersecurity challenges as well. When shoppers hit the mall worrying about long lines and hot deals, security pros need to worry about point-of-sale (PoS) malware, fraud, new mobile payment technology, and the recent EMV liability shift.
PoS Threats On the Rise
Although PoS malware got the most attention in the summer of 2014, Trend Micro found that, in the third quarter of 2015, PoS malware increased by 66% in the third quarter of 2015 and that attackers were quite indiscriminate about their targets. Forty-five percent of it was hitting small- to medium-sized businesses.
Larger franchises are not out of the woods though. Just last week, a hospitality brand, Starwood Hotels was breached by PoS malware, exposing payment card data of customers at 54 of its hotel properties. The precise culprit has not been revealed, but the FIN5 gang has been using RawPOS to hit hotels all year.
Plus, there's new PoS malware on the scene:
- Cherry Picker, discovered by Trustwave this month, has been around since 2011, but has remained nearly undetected in all that time because of its sophisticated encryption and obfuscation techniques.
- AbaddonPOS: discovered by ProofPoint, also has elite obfuscation techniques, including tricks to wipe evidence of itself away. It also includes anti-analysis capabilities to frustrate researchers. Abaddon has spread through the Vawtrak malware.
- ModPOS: described this week by iSIGHT Partners as "the most sophisticated PoS malware ever," it's more than just a card scraper. It's modular malware with a keylogger, uploader/downloader, and an assortment of plugins -- and every module operates in kernel mode where it's hard to find and hard to eject.
The immediate concern with PoS threats are that they scrape payment data stored upon them. However, researchers are also finding that attackers are also using PoSes as an entry point into the rest of the network.
"One of the reasons that PoS devices have been such an effective attack surface is that many are left unprotected without any resident anti-malware security," says Mark Parker, senior product manager at iSheriff. "These devices were long considered 'dumb terminals' and that reputation has been slow to change while the devices themselves have become more capable and in fact are often scaled down Windows machines."
[Once the systems at your brick-and-mortar shop are locked down, make sure your online shop is ready for the rush. Read "Cyber Monday: What Retailers & Shoppers Should Watch For."]
"The key to protecting cardholder data is to practice security beyond compliance by not leaving anything behind for hackers to steal," says J.D. Oder, CTO and senior vice president of research and development, Shift4 Corp. "When EMV, point-to-point encryption, and tokenization are properly implemented in a merchant environment, sensitive payment card data doesn’t enter their systems and a 'cardholder data environment' ceases to exist outside of a secured payment device."
Oders says payment card data is safest when it's hosted offsite, rather than at the retail location. "This leaves no payment data in the merchant environment to be stolen and used by hackers, even if malware were to enter the POS or PMS," he says. "After all, they can’t steal what you don’t have."
He also recommends encrypting data in-memory as well as full point-to-point encryption to protect the data in transit.
More EMV Adoption Not An Immediate Cure
Expanded adoption of EMV technology should theoretically be a positive change for brick-and-mortar security this season.
EMV, or chip-and-PIN, is a replacement for the old magnetic stripe cards. Stolen magstripe data can be turned into counterfeit credit cards, and skimmers make it very easy to steal. Yet, in the US, EMV adoption was very sluggish because both merchants and card issuers were holding out for the other to make the first move.
But last month the EMV "liability shift" took effect. So in the event of payment card fraud, whichever party -- merchant or card issuer -- that has the lesser security is the one to be stuck with liability. So if the card issuer has put an EMV chip in the card, but the merchant has not updated their PoS terminals to accept EMV, then the merchant eats the cost; and vice versa.
More chip-and-PIN cards will be in use at stores this holiday season, which could be a good thing. However, experts say not to expect an improvement overnight.
"I would tell retailers EMV is going to complicate their life" this Black Friday, says Rajesh Sharma, vice president of banking and payment applications at INSIDE Secure. As customers and customer service reps alike become familiar with the technology, lines at the register may move slowly. A slow line isn't going to be tolerated for long. So if an EMV purchase fails on the first attempt, the salepeople may quickly resort to swiping the magstripes just to keep the line moving.
"From the retailer's point-of-view, it's all about risk-reward," says Suni Munshani, CEO of Protegrity. "If security gets in the way, if some infrastructure gets in the way, they'll rip it out."
Criminals know that all too well, he says, and they'll manipulate that fact with social engineering, which untrained workers rarely recognize. "It's frightfully expensive to train temporary staff," he says.
Mobile Payment Schemes Can Be Manipulated
On top of EMV, retail sales reps have to learn all about payments made with mobile devices through systems like Apple Pay, Android Pay, and Samsung Pay.
Thirty-nine percent of respondents to a survey conducted by INSIDE Secure plan to make in-store purchases with a mobile device this holiday season. Plus, 17% of those who did not make mobile payments last year are planning to use the technology this year.
The hold-outs, according to the survey, cite security and privacy as their key reasons for declining to use it: 70% were concerned about fraud, and 70% about the privacy of their transaction data.
However, these technologies are actually doing quite a lot right when it comes to security. Payment technology experts praised Apple Pay when it was released for tokenizing payments, never communicating credit card data to the merchant, and adding biometrics to the process.
That doesn't mean it's fraud-proof. Mobile payment technology is "definitely something we've seen criminals more interested in in the last year," says John Miller, director of ThreatScape Cyber Crime at iSIGHT Partners.
Cybercriminals are not exploiting vulnerabilities in the mobile payment technology per se, says Miller, but they're compromising weaknesses in the enrollment process. They simply load stolen payment account data into one of those mobile payment systems -- which they can do, because the banks don't always do a very good job of making sure that the device to which the account is provisioned is actually a device owned by the accountholder. Thus, an attacker can walk into a store and use their Droid or iPhone to make a purchase with someone else's money.
Apple Pay was only released in September 2014, and by March of 2015, millions of dollars of fraudulent purchases had already been made in this way with Apple Pay.
"[Attackers are] doing in-store fraud despite EMV," says Miller, "despite all those protections."
No tolerance for down-time
"The recovery time for retail is very, very small," says Munshani. "This is when they make the most revenue."
So obviously, any denial of service -- via an attack, a system failure, or a bad patch -- is unacceptable. The concern is if a zero-day PoS vulnerability hits -- one that threatens a data theft, not a denial of service -- will retailers simply ignore it, and say 'remind me in January'?
"I don't think that would be the response anymore," says Miller. He says that retailers' awareness of security and its importance has improved enough that they would not simply ignore a critical threat. "They would want to clean it up, but they might not know how."