The recent announcement by outdoor clothes retailer Eddie Bauer about a point of sale data breach is a reminder to CISOs to be vigilant about their POS systems even if they use credit and debit cards with EMV-encrypted chips, which are ubiquitous across Canada.
Those cards are resistant to attack compared to very vulnerable legacy cards that hold cardholder data only in a magnetic data stripe on the back, data that can be copied from RAM in point of sale machines. Home Depot and Target were recent victims of memory scrapers.
However, Owen Wild, global marketing director for enterprise fraud and security at POS manufacturer NCR warns that EMV is not intended to, nor provides immunity against POS malware. “EMV must be combined with the implementation of hardware point-to-point encryption to provide protection from malware,” he said in an email statement.
It isn’t clear, however, whether the latest generation of POS malware is getting at data from EMV cards.
Experts interviewed suggest memory scraping of data from POS terminals is still a goal of criminals who are after mag stripe-only cards and, perhaps, hope that some encrypted data from a chip card will be decrypted in terminals before being transmitted to back-end systems.
Two weeks ago Eddie Bauer warned customers in Canada and the U.S. – where cards with EMV chips are slowly replacing mag stripe cards – that some customers’ payment card information used at its stores on between Jan. 2 and July 17 may have been accessed.
A spokesperson for the company went even further in a statement to ITWorldCanada.com, saying, “The malware that affected Eddie Bauer was designed to steal payment card information as soon as it was swiped or inserted into point of sale registers.”
Only cards with EMV chips, which have microprocessors that encrypt cardholder data including their PIN number, can be inserted into POS devices. Mag-stripe cards are swiped.
Security experts and card issuers have known since 2008 that mag stripe cards are vulnerable RAM scraping and can be forged because some POS devices hold data temporarily in memory before being encrypted and transmitted to back-end software for processing. That’s why card manufacturers came up with EMV cards, which generate single-use encryption tokens that should defeat interception.
EMV chips “can definitely stop the point of sale malware that was trying to intercept the card data before it got encrypted,” maintains John Pescatore, director of emerging security trends, SANS Institute. “I haven’t heard anybody say they’ve found a fundamental flaw (after the EB breach) in the way the chip cards do their communications or encryption.”
So does the malware Eddie Bauer found get around the chip encryption, which is why it is warning all customers – including in Canada, where chip cards are overwhelmingly in use?
The answer is not simple. First, the Eddie Bauer statement says the malware it found was “designed” to steal data from both inserted (meaning chip) and swiped (mag stripe) cards. It doesn’t say the malware successfully steals chip-encrypted data.
Second, the malware may not try to get at EMV encrypted data. The goal may be only to get card numbers, points out Andre Romanovskiy, cyber risk practice leader at Deloitte Canada, who specializes in the financial sector. With card numbers, criminals could steal money or goods from banks or retailers online – what the industry calls non-card-present fraud.
Hypothetically, he said in an interview, the card number could be available even for a chip-enabled card when malicious code is injected into a POS device. “Sometimes just grabbing the card number is sufficient to publish (it) in Pastebin on the Dark Web” for sale, he said. If the purchaser can match the card number to other personal information of the owner that has been stolen to either make another card or use the combined data for other types of fraud, so much the better.
But, Romanovskiy said, Eddie Bauer hasn’t given details about their breaches to security researchers. As a result, he added, the entire industry is guessing what the vulnerabilities are in these two incidents.
Earl Carter, a senior researcher Cisco Systems’ Talos threat intelligence services, also believes cards with chips aren’t invulnerable to POS malware. “I’m not an expert on the EMV protocol, but from what I’ve read even though there’s a chip the reader itself can still request things like the card number, CVV value … So technically the malware could have access to all that information.”
It should also be remembered that while most Canadian credit/debit card users will insert (or tap) their chip cards into readers, some might still swipe. And tourists from countries where chip cards aren’t yet widely distributed – like the U.S. – wouldn’t be able to insert or tap.
POS malware should be disappearing in North America as the number of chip cards increases. In Canada, EMV chip and PIN technology started being distributed in 2008 and was largely completed by 2013. However, in the U.S. merchants have only been required since October 2015 to have POS terminals that handle chip cards. The majority of cards there are mag stripe-only. So POS malware makers will continue to target the U.S. until the number of vulnerable mag stripe cards are all but eliminated.
There’s no shortage of new POS malware:
- Earlier this month PandaLabs described a version called POSCardStealer, which has infected hundreds of Windows-based terminals in bars and restaurants in the U.S since last September. It installs a RAM scraping malware called Multigrain that pulls data copied into memory from mag stripe cards.
- A year ago Trustwave SpiderLabs described a family of POS malware it calls Punkey which includes a keylogger (which can be used on PC-connected point of sale systems) as well as a RAM scraper for mag strip data. In June of this year security writer Brian Krebs reported Punkey was apparently used to get at POS data on the U.S.-based Cici Pizza chain. The chain’s main point-of-sale service provider told Krebs that the hackers used social engineering to trick employees into installing the malware.
- In December, 2015, Cisco’s Carter co-wrote a column on the company’s Talos threat intelligence blog on a RAM-scraping malware it calls ProPOS. Again, this would appear to go after mag stripe cards.
In 2015, IBM executive security advisor Limor Kessem noted in a blog that POS malware increasingly has multiple capabilities. For example, she wrote, a distributed denial-of-service (DDoS) module was added to FighterPOS; PoSeidon runs a routine to steal remote control credentials from endpoints using LogMeIn; NewPosThings dumps virtual network computing (VNC) passwords, also used for remote control; Punkey-compromised data can be encrypted and sent to numerous control servers simultaneously to complicate investigation into where the data went. Punkey is configurable malware that can compromise several POS systems.
Deloitte’s Romanovskiy also notes that EMV chip and PIN technology does have its faults. As outlined in 2014 by Threatpost.com, researchers at the University of Cambridge found the chip in EMV cards at the time doesn’t always generate an unpredictable number, or nonce, for each transaction to ensure its integrity. That could allow an attacker to compute the authentication code needed, for example, to withdraw money from an ATM. It isn’t clear if that problem has since been resolved.
CISOs have to remember that because many POS systems are Windows- or Unix-based with terminals that connect to PCs, malware can spread to point of sale terminals through common exploits such as credential theft and social engineering. So tough identity and access management is imperative across the enterprise in addition to security solutions on POS terminals – including isolating terminals from the rest of the network.
IBM also recommends using two-factor authentication for all access to protected zones, enforcing end-to-end data encryption to the highest extent possible, and employing data loss prevention solutions to prevent exfiltration of data.