Today businesses face a real threat in security with point of sale (POS) systems and applications. More and more cybercriminals are targeting POS systems and applications because they have become the weakest link in most places that transact business with a customer’s credit card. The reasons are that most POS devices are: located in public areas, in constant use, and less frequently updated and patched. What is worse is that the very methods and mechanisms that are used to patch and update these devices are the same ways that cybercriminals are exploiting them to collect credit card data. There have been so many data breaches from very large retailers and hotel chains that have caused customers to lose faith in the company’s ability to protect their sensitive information. New methods and approaches that have been mandated by Payment Card Industry Data Security Standards (PCI DSS) have helped regain customer confidence. But the fact of the matter is that data is still being stolen and customers and merchants are still financially impacted.
This article will discuss common exploits and how criminals are getting their malware and exploits onto POS systems and explain the approaches that can be implemented to reduce the impact to businesses that experience a data breach through compromised POS systems.
How Is It Happening?
There are many approaches cybercriminals use to target a POS system and the most common is physical tampering. It is very difficult to prevent physical tampering largely because they are in constant use by employees in public environments. They are literally an arm’s length away from an individual who might find a USB port as an easy entry point to introduce malware. In many cases merchants still employ old and out dated POS systems that are more vulnerable and easier to hack and deploy malware simply because they do not have modern operating systems or hardware security features found on new systems. In some cases malware is installed by an employee simply because they have physical access to the machines and can exploit their access as a means to enrich themselves. The truth is that if someone has physical access to the device it can and will be compromised at some point.
Most IT Administrators who have PCI responsibility have traditionally separated and segregated the networks that POS systems operate on as a method to prevent network hacks. Network-level hacking has long been a traditional method of being able to collect credit card data by conducting a port scan on the network to identify areas of possible attack. This attack vector has been reduced significantly in today’s modern networks. The lessons learned and the availability of advanced network devices such as firewalls and malware scanning software that is commonly available have reduced this vulnerability. In addition, Wi-Fi is becoming more and more common in the implementation of handheld POS devices so the networking factor will require additional discipline to ensure the connection from POS device and the POS system is encrypted and protected. Again, there are well established methods and models to protect the communication between POS device and POS system. While networks have become more secure, IT administrators are still required to protect the networks and are still an attack area that hackers target.
There are many kinds of POS malwares with interesting names like GammaPOS, Abaddon, Dexter, and ModPOS, but they all do one simple thing – collect unencrypted data from a POS application. Most malware works by using “memory scraping” techniques. These programs reside in memory and collect data as it enters the POS device. As a card is swiped or dipped in the case of EMV chip and pin cards, this data is collected by the malware. The next step is to exfiltrate the data to a collection point that the hacker can then access. This exfiltration process is another complex aspect data theft. The hacker must be able to get this information out of the POS network without being detected, so they employ techniques using the very methods most vendors use to support and manage POS devices and systems. In one example, a hacker will collect the stolen data, compress it and then split the compressed file into smaller chunks of data to hide their activity. Then, they use the remote support mechanisms that POS vendors use to remotely support and maintain the POS systems. They may employ the use of File Transfer Protocol (FTP) or HTTP protocols to move the data and may seem and look like normal operations and thus go undetected. So once malware is on a system, all bets are off as to whether unencrypted data can be kept safe.
What Prevention Techniques are Available?
In 2015, MasterCard and Visa required merchants to begin the use of Chip-and-Pin (also known as EMV – Europay, MasterCard, Visa) POS devices instead of the magnetic swipe method for charge authorization. The intent in the use of this new method was to reduce the amount of liability for MasterCard and Visa for fraudulent charges made by cybercriminals who were able to collect the traditional magnetic stripe data from a credit card. The EMV process is more secure because the information is stored on a physical chip on the card and is encrypted. When a user dips the card into an EMV POS device the embedded chip sends the encrypted credit card user information. Then a requirement of a PIN challenge validates the transaction and is much more protected than the traditional MAG stripe method. EMV technology makes counterfeiting credit cards much more difficult. Since more merchants require EMV it has significantly reduced the amount of fraud at the POS device. This security measure is also used by Near Field Communication (NFC) technologies found in mobile devices for contactless payment. In NFC transactions, the device emulates a smartcard that is very similar to the chips used in EMV credit cards so NFC transactions look like EMV transactions. Even when these methods are employed, neither provides protection for the transmission of sensitive payment information to the acquiring bank. POS malware, memory scrapers and other covert technologies empower criminals to capture all the payment data they need from unsuspecting retailers. The data can then be used in online or mobile transactions where EMV can’t be used. Thus, most credit card fraud is now being reported using online or mobile transactions. So even with EMV, merchants are still at risk of a credit card data breach.
In Figure 1: Credit Card Payment Threat View Example, this visual explains the possible vulnerabilities at each level of the process that credit card data passes through. At each stage, data can be compromised through various methods from malware to insider access.
With so many ways cybercriminals can attack POS systems how do you prevent breaches? The best answer to the problem is to take away the incentive itself by protecting the cardholder data before it ever reaches the POS system. By using techniques like end-to-end encryption based in the payment entry device itself, the credit card data is protected as it travels through the POS device and application. This approach makes the data immune to any malware that might be present. How is this possible? Well, if the value of the data is zero, then even if cybercriminals acquire the data its value to them is negated. This approach is defined as a Data Centric Security Model.
Data Centric Security, P2P Encryption and Tokenization
First, encrypting the cardholder data in the payment acceptance device itself allows for a safe transmission of data to the POS application and beyond which eliminates any exposure of live information to malware that may live there. This is known as Point-to-Point (P2P) encryption and allows for the encryption of the credit card data at the ingestion point and is done at the POS device itself. A second technique, tokenization, replaces sensitive data with non-sensitive values which allows businesses to safely store PCI data after the payment authorization process. When used together, businesses remove all sensitive data values from unsecure environments and any malware in the system gets only useless encrypted or tokenized data.
In Figure 2: Data Centric Security Approach to Credit Card Payments, when a credit card is swiped or EMV is used, the recorded data gets encrypted by the POS device. The POS device encrypts the transaction by using a Public certificate as the encryption method. As it traverses the POS system the credit card data will be encrypted. If any malware exists in the POS system, it will only collect encrypted data that is useless without the ability to unencrypt it. One of the issues that many IT Security professionals will note is the time and cost of managing certificates on POS devices. But technology exists that can make that aspect seamless and low touch.
Once the credit card data has been encrypted it will be sent to the payment authorization processor where it will be decrypted using a private key and then tokenization will be employed. Tokenization is the process where Format Preserving Encryption (FPE) will take predefined data fields or numbers in a credit card PAN (Primary Account Number) and replace them with random characters. This new PAN is rendered useless to anyone who collects this data and is not authorized to de-tokenize the data. When the real PAN is required for the settlement process it will get de-tokenized and sent to the credit card network. The data that the merchant keeps for use in analytics, or for customer service, remains tokenized so no real credit card PANs are stored. Thus, this data is rendered useless to anyone except individuals who are authorized to de-tokenize the data.
As an added benefit, these solutions make it easier to adhere to the Payment Card Industry’s (PCI) increasingly onerous Data Security Standard (DSS) version 3.1. These standards are aimed at making PCI data security a top priority for any organization handling card payment data. Encryption and tokenization can significantly reduce a business’s current investment of resources that may be necessary to successfully pass their annual PCI DSS security assessment.
In Figure 3: Credit Card Data Protection Process, when credit card information is collected it is encrypted at the POS device and remains protected while in movement in the merchant PCI zone. When it is sent for processing it then gets decrypted. What is also important to note here is that a Hardware Security Module (HSM) can be used to further protect the keys used for encryption and decryption and tokens as a dedicated and hardened security device. This is where the private keys and tokens can remain and be tracked for authorized use. Otherwise the credit card data can be used by applications and users and is protected because it is tokenized.
A big problem in implementing this type of protection is that many legacy POS systems cannot handle the introduction of traditional encryption, and retailers would have to replace their entire POS system to add this protection. Luckily, newer industry technology standards such as format-preserving encryption can allow the introduction of this vital layer of protection even in older POS systems, as well as the added benefit of allowing the encrypted data to be used without revealing the live data for most business and analytic applications.
In Summary, while POS systems remain a highly probable data breach point for cybercriminals, advances in how credit card data can be protected have been developed that meet PCI DSS 3.1 standards. These advances allow merchants another level of protection that will protect their customer’s sensitive credit card data and prevent the financial liability that typically comes with data breaches at POS terminals. As cyber criminals develop better ways to compromise POS systems, merchants need to protect the credit card data at the very beginning point of data collection while also reducing their PCI audit scope.