Credit Card Number Theft: POS Malware and the Path of Least Resistance

January 15, 2014 by Jason Soroko     No Comments

It was December 2011 when we first read about payment card number theft that occurred at Subway sandwich shops. Now, we’re sorting through the theft of 40 million payment cards from Target. That number was revised to 70 million names and identifying information such as phone numbers.  

shutterstock_77125048Researchers, most notably Brian Krebs, have done a great job breaking and covering the story. Krebs also brought to everyone’s attention the theft of high-value payment card numbers from Neiman Marcus. More payment card theft will likely be reported soon.

In the case of the recent retail store point-of-sale (POS) systems, stealing this card information has been accomplished by malware. Once the point-of-sale computer is infected with malware, the internal memory of the computer is monitored for credit card information. If the credit card does not have an EMV chip, the card can be cloned. Thankfully, it has been reported that the debit card PINs that were stolen were encrypted, and the key to unlock that encryption were stored externally from Target’s compromised systems.

Point-of-sale malware is following a similar lifecycle to banking malware such as the Zeus virus, which has been responsible for stealing millions of dollars from bank accounts. Since the source code for Zeus was released, we have seen an explosion of variants of this banking malware. This enabled the capabilities and sophistication of the malware to keep up with many defensive strategies such as SMS second-factor authentication.  

Dexter is a point-of-sale malware that is analogous to Zeus in that the source code has been made available to the underground fraudster community. Not surprisingly, more powerful variations of Dexter have been created to perform additional malicious capability, which mostly seem to be related to exfiltrating the payment card information to the fraudsters.

It’s worth considering the latest round of payment card number thefts to try to model what may happen next. The history of electronic security has shown that fraudsters follow the path of least resistance. Credit card theft is nothing new, but payment card issuers in the US have been slow to adopt security measures and this has created a huge opportunity for fraud. It’s important to understand this from the fraudster’s point of view.

For a credit card that lacks the protection of EMV chip technology, the track information on the magnetic stripe is all the fraudster needs to be able to clone the card. Mag stripe skimmers have been stealing credit card information for a long time.

Zeus and its variants have been successful in infecting desktop PCs, many of which contain some kind of endpoint security technology. Dexter and its variants are infecting POS systems, most of which are dedicated desktop PCs that potentially have even less security than personal desktop PCs.  

All merchants who deal with credit cards must have PCI compliance. In the case of the earlier Subway sandwich breach, it was deemed to be non-PCI compliant. The ongoing investigation of Target will likely reveal the source of weaknesses. But what anyone who uses a credit card must keep in mind is that this kind of card number theft is not new, and is likely to continue on a mass scale. Why? Because it is a path of least resistance for fraudsters.

If you use a credit card, having an EMV chip is a great idea and it will help protect you from card cloning. If you use a credit card online, you should be using the additional online password technologies that are offered by Visa and MasterCard. Until these card security features are more widespread, especially in the US, we’ll likely be reading more news stories — and they’ll be all too similar to the Target and Neiman Marcus breaches.

Jason Soroko

About

Jason Soroko is Head of Malware Research for Entrust. Soroko has spent more than 10 years with Entrust in various developer or architect roles. As malware becomes more advanced, the need for Entrust to understand evolving threats requires considerable investment. Soroko frequents security conferences and tradeshows to educate the industry on identity-based security and ensures Entrust stays at the forefront of understanding this offensive capabilities possessed by today’s malicious actors. Prior to joining Entrust, Jason worked in Geographic Information Systems (GIS) for the oil and gas industry.

Add to the Conversation