This just in – criminals have successfully embedded malware on point-of-sale (POS) systems to capture credit card information from these systems in memory and transmit it to nefarious sites. According to Seculert, an Israel-based security firm, tens of thousands of credit cards have been compromised on hundreds of POS systems around the world. Should you be worried?
I’ve worked with several clients over the years who have worked to remove repositories of cardholder data from their systems to minimize scope. While many of these folks were successful in eradicating most of these data stores from their environments, a huge percentage of them continue to have POS systems that process (but no longer store!) cardholder data in memory. This has helped reduce exposure and scope by concentrating it to just one place – where the cardholder data passes through the memory of these systems for a brief moment in time, or as I’ve often said in the past, "where the fastball hits the catcher’s glove." In the technology world, microseconds can still feel like an eternity, especially if malware is able to capture all transactional data passing through the memory of these systems. While many of our prior conversations seemed theoretical, it appears that this is now a clear and immediate threat.
Who is this Poin(t of Sale) Dexter?
The malware, named Dexter, is purportedly a variant of Zeus (the infamous banking Trojan), and has been found on Windows-based systems. At the time of this posting, it is not certain how the malware made its way on to these systems. The infected systems show that it was capturing data in memory, specifically looking for track (magnetic stripe) data which contains the credit card number, name, expiration date, etc. The captured cardholder data was then transmitted to malicious servers so that the criminals could duplicate the credit cards for fraudulent purposes.
What Steps can I Take to Prevent This From Happening to me?
- First and foremost, your POS systems and servers should NEVER be allowed to access the Internet. You should have firewalls and access control lists to prevent all (if possible) outbound access from these systems.
- In the event that your POS system(s) must communicate over the Internet for business reasons (i.e., in Europe, many merchants connect to their middleware providers over the Internet), you should only allow outbound access to those specific authorized target hosts over the specific ports/protocols that you must use. This is a basic PCI DSS requirement anyhow.
- Your cardholder data environment, including your POS systems, should be treated as critical systems. There should not be unfettered access between these systems and other internal "trusted" systems if those systems have no business need to share communications with the POS systems.
- You should ensure that all systems are currently patched and tested (PCI DSS requirements 6.2 and 11.2).
- You should ensure that all systems susceptible to malware (i.e., Windows-based systems) have current versions of anti-malware software (PCI DSS requirement 5.x).
- If you are using an "embedded" Windows-based operating system, do not be lulled into a false sense of security. These boxes may not be inherently secure and you should perform penetration tests to ensure that there are no potential attack vectors.
- As a longer term solution, you may want to consider an end-to-end encryption (E2EE) solution as that would potentially make the POS system worthless to an attacker.
- Do you have any other suggestions?
In short, I would be hard pressed to imagine that any of the compromised businesses in this case were PCI compliant at the time of the breach since most of the preventative controls are the basic part of the PCI standard. Nonetheless, this creative attack should be used to raise the PCI community’s awareness that this potential threat is real.