Just in time for the holiday shopping season, security researchers have announced a new security threat that strikes at the heart of most merchants: the cash register.
For the past year, researchers at iSight Partners, a cybersecurity firm in Dallas, have been tracking a new form of malware, dubbed ModPOS, that attacks point of sale, or POS, machines at the kernel. That's the part of the computer system that deals with input and output requests for data, over which software applications sit. The malware is particularly pernicious because it hides itself, and encrypts the consumer information it steals and transmits, says Stephen Ward, a senior director at iSight.
The malware may already have been part of the network break-ins against national retailers in 2013 and 2014, Ward says, though he did not specify which ones. During that time frame, hackers made off with millions of consumer credit card numbers from prominent retailers including Home Depot and Staples. But the danger is there for any company that uses point of sale terminals.
"This is not the first foray into cybercrime or retail targeting by the actors behind this; they are really sophisticated," Wards says. "All retailers should be concerned."
Most malware attacks exist at the software level, probing for open doors into the computer systems, and can be detected by antivirus software. The new POS malware is capable of hiding itself deep within a computer network, and it goes undetected by antivirus software.
To give a sense of the sophistication, Ward says it took his team a month to reverse engineer the threat, once they discovered it. By contrast, Ward says it took the company's researchers just 30 minutes to reverse engineer another recent POS threat, called Cherry Picker.
Ward says iSight has been privately prepping retailers about the threat over the past few months, and it went public with a report in October.
The discovery comes at a particularly sensitive time for merchants, not only because this is the busiest time of the year for most, when by some estimates U.S. retailers will notch $630 billion in sales, but also because most merchants are now in the process of switching over to terminals that accept chip cards, also known as EMV cards. The cards offer more effective protection against fraudsters because the cards utilize an encrypted key that verifies the cardholder.
Unfortunately, the new chip cards do nothing to stop the POS malware, says Julie Conroy, a security expert and senior researcher with Aite Group. In addition to credit card numbers, the ModPOS malware also probes networks for other types of information--for example, customer credentials that might include logins and passwords, loyalty program information, and any other consumer information that might be useful for identifying theft and fraud.
Nevertheless, here are three things you should consider doing now:
1. Utilize more encryption.
Since ModPOS can evade antivirus detection, you may want to explore endpoint encryption, a software that securely disguises data stored on your own machines, as well as any removable devices, says Avivah Litan, a vice president and analyst at Gartner. Most payment processors that set up merchants with their point of sale machines also offer endpoint encryption as a service, says Litan.
2. Have an expert take a look.
If you think your system has been compromised, you'll need to bring in a forensics expert to sort out the problem, say Conroy and Ward. That can be an expensive procedure, however, as forensics experts can charge hundreds of dollars an hour to analyze your system. But the alternative of swallowing costs for losses related to fraud can be much higher, they say.
3. Examine network behavior.
Large retailers, with extensive IT divisions and deeper pockets for security outlays, frequently use behavioral analytics software that can detect changes to the root of network systems. While these systems are generally too expensive for smaller merchants, Litan says, it's worth mentioning that the capability exists.
Correction: An earlier version of this post incorrectly raised the possibility of a link between the malware and network break-ins at such big retailers as Target and Home Depot. Ward did not draw the connection with these specific incidents. This post has been revised to reflect that the events occurred in about the same time frame.