With the news about pin and chip cards being more secure, I was feeling more comfortable knowing that my credit card information was going to be protected, but I was wrong! It started when I received an email from the issuing bank letting us know that we had thousands of dollars in charges at some very familiar retailers and online stores, but it wasn’t us – the criminals were making fraudulent charges on my new credit card which had a secure chip or smartchip inside. I wondered how that could happen, so I started investigating the situation further and found that criminals were very creative and had stolen my mail which had my new credit cards... that started an avalanche of fraudulent charges.
But what does feeling secure mean? My first exposure was traveling to Romania, I realized that I could not just swipe my card and charge my restaurant bill to my credit card, they require a pin number in order to complete the transaction, hence my introduction to EMV card. Since the merchants in the US have begun to implement POS terminals that accepts both credit cards with magnetic stripe and a chip, then it gave me a higher level of reassurance as PCI DSS standards would enforce better security with merchants.
Unfortunately, my VISA credit card number is still displayed on the front of the card and the CVC (Card Verification Code) still posted on the back, so it allows criminals with the tools to make a fake card with a magnetic stripe encoded with my information. Criminals could go directly to the store and use the fake card to make purchases. Also, they went to online stores to purchase items using the CNP (card not present) approach and had the packages sent to a temporary location or picked-up by different individuals. It took just a few days to steal thousands of dollars.
Upon further investigation, Point of Sale (POS) devices are not immune to criminals wanting to steal credit card information. Since the new POS devices have both magnetic stripe and smart chip reader, they are not immune to RAM scraper malware that can intercept the information that is destined for the POS terminal memory. Employees that use computers that have access to POS information may also have rights to access the Internet which can increases the risk of malware attacks targeted at machines that are used as a central repository for credit card information. More merchants are using tablets as their POS terminal and cash register which can add another level of security issues as malware attacks are on the rise for Android based tablets.
There are merchants still using older Embedded Windows XP based POS software. These systems are no longer supported as of April 12, 2016. These systems are vulnerable to malware attacks. In addition, some of these windows based systems require OS upgrades, but some merchants may be resistant to upgrading their machines whether it is cost or something else. A relatively new type of POS malware known as Treasurehunt steals payment information through a computer’s memory and is circumventing some of the security tools. Criminals are targeting merchants that do not using the pin and chip terminals as they are the easiest targets for cybercriminals so customers may need to beware of using credit cards to make purchases at antiquated POS terminals.
Criminals will attack merchants with older or outdated POS systems as there systems may not have the latest protection, but it doesn’t mean that newer POS system are impenetrable from attack either. It would have help me if I added another authentication layer to my credit card. By adding a pin number to my credit card transaction, it may have reduced the fraudulent charges. In addition, I signed up for the credit card notification service which sends a text to me on recent credit card transactions. I am grateful for credit card companies being supportive during these challenging times. As I look at some of the POS malware vulnerabilities, I am still astounded by the number of ways criminals can still steal my information and use it for their own profit. You may want to review an article entitled, "POS Security: Lessons for Every Business Employing Such Systems." which provides a deeper understanding of POS systems.
To learn more about the anatomy of a POS attack, attack vectors, and prevention methods, you can download a technical whitepaper describing these methods. Antimalware SDKs have been available for many years and can help reduce malware attacks as many POS manufacturers know the different points of vulnerability and how reduce the criminal attack surface. Adding advance antimalware engines to the ecosystem could be a benefit to consumers and merchants alike.