This is how credit card readers are fueling cybercrime

Electronic Point Of Sale technology (POS) — the terminals that record sales and deal with payments in retail outlets — is more than a quarter of a century old.

The systems deliver valuable data to retailers on their busiest times, best selling products and much more. They have become such a common sight that few of us give them a second thought.

However, they deserve more of our attention. The growing use of ‘malware’ — computer code that infiltrates networks — has led to an explosion of personal data theft.

Analysis by TrustWave shows that POS infringements represent a growing proportion of security breaches in the retail, food and beverage, and hospitality industries.

Not only are attacks becoming more frequent, they are also getting more sophisticated with a growing use of cryptography, which hides the source of an attack and prevent experts from understanding the structure of malicious code.

Worse still, the technology behind these attacks is increasingly easy to find. A few thousand dollars is all it takes to buy a simple system from vendors working in private online forums.

To understand how security should be tightened around POS technology requires a brief explanation of how the underlying payment system works.

Any transaction involves three different actors: a selling point (a gas station, a clothing department store, etc.), a Payment Service Provider (PSP), and a bank or financial institution.

When a credit card is used, personal data is temporarily stored in the POS card reader’s memory in plain text. It is then encrypted and forwarded to a PSP and then to the bank.

You’ll have guessed that the critical moment is when your data is temporarily stored in the POS. That’s an easy target for criminals. And their preferred tool is a so-called “scraper”.

French researcher Xylitol says that among the thieves are some teenagers working alone, but that most of the global “trade” in credit card details is managed by powerful organized crime rings.

A 2013 report by Group-IB showed that Russian cyber-thieves earned $2.5 billion a year from stolen credit card data – mostly obtained from hacked POS terminals around the world.

These systems generally run on Windows, which can also be used for web browsing, checking mail and installing other software. And that’s the problem: cyber-criminals know that operators of POS systems use the technology to do other things.

“POS terminals should only be used for their specific purpose, period”, warns Xylitol, highlighting another typical threat: a remote control software now bundled on many POS systems.

Quite often such software is not up-to-date or lacks a strong password and represent an easy entry point for malware.

Email phishing can also be used in large-scale attacks. Criminals bet that a proportion of recipients will be using a POS terminal and then open an attachment or click on a malicious link.

The good news is that new POS technology with stronger encryption and a token system should be available soon. In the meantime, local authorities and business owners need to work together to provide customers with the security they deserve.

Author: Andrea Stroppa writes about security and technology for the World Economic Forum.

Image: An employee swipes a customer’s credit card through the card reader at a restaurant in Tokyo February 19, 2005. REUTERS/Issei Kato