The FBI’s Warning:

Point-of-sale (POS) systems are under attack.  In the wake of breaches at Neiman Marcus, Target and other stores over the 2013 holiday season, the FBI is now warning retailers to expect similar cyber attacks in the coming months.  The warning came in the form of a 3 page report distributed to numerous retailers on January 17th, detailing the current risks with POS systems.

According to reports on the FBI’s warning (which was not made public), the FBI is convinced that POS malware attacks will continue to grow in the near term, even with more vigilance by law enforcement, retailers and information security companies.  This growing threat is due to the easy availability and affordability of POS malware offered for sale on Internet black markets.

While the warning could be seen as simply a statement of the obvious – after all, aren’t all large retailers a prime target for hackers? — the warning is also based on new statistical data.  The FBI informed retailers that it uncovered about twenty POS cyber intrusions over the last year, all of which used similar methods.          

RAM Scraper Malware:

So what exactly is behind these attacks?  How are cyber criminals exploiting POS systems to obtain credit card numbers and other sensitive data, even in the face of widely used security procedures such as PCI-DSS (Payment Card Industry Data Security Standards)?  The answer is a particularly nasty type of malware known as a “RAM scraper.”

PCI-DSS standards require that cardholder data must be encrypted when it is transmitted across open, public networks.  Further, although not required by the current standards, some merchants choose to implement point-to-point encryption solutions (P2PE), intended to protect cardholder data during the entire payment cycle, from card swipe until the payment process is complete.

But regardless of how encryption is implemented, there is a brief moment in time when card data, while resident in a computer’s random access memory (RAM), must be decrypted to be read and processed.  It is during this ephemeral window that the RAM scraper strikes.    

Specifically, RAM scraper malware is programmed to intercept Track 1 and Track 2 payment card data (which includes the cardholder’s name, payment card number, expiration date and security code).  Because this information is in plain text form (unencrypted) when processed in memory, it is vulnerable.  The malware “scrapes” the system memory at this weak point and then exports the collected data to the attacker.    

Since the malware operates despite and around any encryption, there is little that can be done to thwart the malware once present, regardless of the overall system security of the retailer.  According to experts, it is not feasible to encrypt data while in system memory. 

What Can Retailers Do?

If the POS software itself is not at fault, what can be done?  Blocking malware from the system in the first place would seem to be the best course of action.   But keep in mind that POS devices are network-connected, so any system that touches the network might be an infiltration point.

Also, malware could be inserted unintentionally by someone using the system, possibly via phishing attacks, such as an email attachment or malicious link sent by a trusted email account that has been compromised.  Despite these challenges, it may be helpful for retailers to use certain practices in an effort to stop malware from reaching their POS systems, such as: 

  • Use strong passwords to access POS devices;
  • Keep POS software up to date;
  • Use firewalls to isolate the POS production network from other company systems;
  • Employ antivirus tools (and keep the antivirus software up to date);
  • Limit access to the Internet from the POS production network;
  • Disable all remote access to POS systems; and
  • Never use POS machines for any other application (such as store surveillance or employee time-keeping or web browsing).

Since the data from a RAM scraper must somehow get to the criminals, retailers should also monitor and log for unusual Internet traffic out of its systems.  Such traffic could be a clue that there is unauthorized access to payment card data. 

Chip and PIN to the Rescue?

Surprisingly, the U.S. credit card system may lag somewhat behind the rest of the world security-wise.  The magnetic stripe technology on credit cards dates from the 1960s.  But there is another technology out there now called Chip and PIN or “EMV” (Europay, MasterCard and Visa), which is now in place in many countries around the globe.

EMV uses a chip embedded in the card itself, coupled with the user’s PIN, to authorize payment card transactions.  While no technology is completely bullet-proof, it appears that EMV has certain security benefits, and in some places where EMV is in place there has been a drop in fraudulent activity related to payment cards.    

So why aren’t EMV cards now being massively rolled out in the U.S. on an expedited basis?  There are many issues complicating the EMV rollout.  Some of it is a little bit of a “chicken or the egg” scenario.  Credit card companies may be waiting on retailers to make the required POS equipment upgrades to be able to use EMV cards.  On the other hand, some retailers may be waiting for credit card companies to start generally issuing EMV cards before investing in new equipment. 

Also, an EMV card can cost about $3.00 per card, compared to about $.75 for the current magnetic stripe cards.  With billions of payment cards issued in the U.S., there may not be sufficient economic incentives to force a quick change-over to EMV.

So don’t look for any rapid movement to EMV in the U.S. until the various complexities relating to the rollout are resolved.  In the meantime, retailers and credit card companies will continue to struggle with the escalating arms race to counter ever more sophisticated malware.  Regardless, EMV is likely no panacea, even if it does eventually supplant the 50 year old technology currently in place.