With the holiday season upon us, we can expect the annual uptick in cybercriminals targeting merchants. Some of these attacks will involve the usual suspects of phishing attacks, malware and Trojans, but there are two particular attack vectors that are growing both in volume and sophistication: point-of-sale (POS) malware and loyalty card hacks.
There has been a spike in POS malware over the past couple of years. In 2014, such malware came to be associated with botnet capabilities, increasing its attraction to criminals. Then, from the beginning of 2014 to mid-2015, 15 new families of POS malware were identified, all with more powerful capabilities than previous strains, targeting industries including retail, hospitality, food and beverage and travel.
Lax security — such as infrequent updates and patching at POS terminals — make these stations the weakest link in the chain. Many also run on Windows XP, which is no longer being patched by Microsoft.
According to Trustwave, around 40 percent of breaches in 2014 were POS-related. ABI Research estimated that the number of POS-related security incidents with confirmed data breaches will reach 600 by the end of 2015.
Smaller companies are more frequently being targeted by cybercriminals, with a shift seen from highly targeted attacks to those launched en masse. Many of these smaller organizations lack the security resources or budget to adequately secure their environment, which can lead to data breaches.
POS malware aims to scrape the RAM memory of POS terminals in order to steal credit and debit card data. It is particularly attractive for cybercriminals because rewards can be lucrative and they do not need to be physically present to execute an attack. In some cases, POS terminals are used by employees to receive email or to browse the Internet, both of which increase the chances of a malware infection. The latest POS malware seen uses encryption for the data that it exfiltrates, making it hard to know what data has been stolen.
Security incidents caused by POS malware can have negative consequences for a merchant’s brand. In many cases, the stolen card data and personal information can be used to make fraudulent purchases, which will likely dent customer loyalty and brand reputation.
There has also been an uptick in security incidents involving loyalty cards. According to the “2015 Colloquy Loyalty Census,” there has been a 26 percent increase in loyalty card scheme memberships in the U.S. since 2013. Additionally, the average household now belongs to 29 loyalty programs, of which 17 are inactive.
Loyalty card accounts tend to be less secure than other types such as credit and debit, yet they offer some of the same benefits as real money. The cards themselves are also often inadequately protected, often with just a four-digit PIN or password. Consumers tend to use the same passwords for many accounts, which could lead to multiple accounts being compromised after one breach. According to CreditCards.com, of the 27 loyalty-related websites reviewed, half relied on simple PINs or passwords and just one-third used two-factor authentication.
Another concern with loyalty cards is the potential for identity theft. Many loyalty programs store a great deal of information, including names, birth dates, physical address, email addresses and payment card details, with some even storing other personal data such as income levels. This sort of information is extremely valuable to cybercriminals and can be used by an attacker to steal identity.
As one door closes — which will happen with credit card security as the EMV standard becomes more widely adopted — attackers will look to pry open another. The growth of POS malware and attacks on loyalty cards are evidence of this.
Such attacks are also becoming increasingly sophisticated. Any merchant relying on traditional POS terminals or loyalty programs should ensure that security is extended to these areas. Otherwise, losses could be large, particularly over the holiday season when consumers shop in droves and cybercriminals follow.