This is how credit card readers are fueling cybercrime

Andrea Stroppa
A hand holding a looking glass by a lake
Crowdsource Innovation
Get involved with our crowdsourced digital platform to deliver impact at scale

Electronic Point Of Sale technology (POS) — the terminals that record sales and deal with payments in retail outlets — is more than a quarter of a century old.

The systems deliver valuable data to retailers on their busiest times, best selling products and much more. They have become such a common sight that few of us give them a second thought.

However, they deserve more of our attention. The growing use of ‘malware’ — computer code that infiltrates networks — has led to an explosion of personal data theft.

Analysis by TrustWave shows that POS infringements represent a growing proportion of security breaches in the retail, food and beverage, and hospitality industries.

Not only are attacks becoming more frequent, they are also getting more sophisticated with a growing use of cryptography, which hides the source of an attack and prevent experts from understanding the structure of malicious code.

Worse still, the technology behind these attacks is increasingly easy to find. A few thousand dollars is all it takes to buy a simple system from vendors working in private online forums.

To understand how security should be tightened around POS technology requires a brief explanation of how the underlying payment system works.

Any transaction involves three different actors: a selling point (a gas station, a clothing department store, etc.), a Payment Service Provider (PSP), and a bank or financial institution.

When a credit card is used, personal data is temporarily stored in the POS card reader’s memory in plain text. It is then encrypted and forwarded to a PSP and then to the bank.

You’ll have guessed that the critical moment is when your data is temporarily stored in the POS. That’s an easy target for criminals. And their preferred tool is a so-called “scraper”.

French researcher Xylitol says that among the thieves are some teenagers working alone, but that most of the global “trade” in credit card details is managed by powerful organized crime rings.

A 2013 report by Group-IB showed that Russian cyber-thieves earned $2.5 billion a year from stolen credit card data – mostly obtained from hacked POS terminals around the world.

These systems generally run on Windows, which can also be used for web browsing, checking mail and installing other software. And that’s the problem: cyber-criminals know that operators of POS systems use the technology to do other things.

“POS terminals should only be used for their specific purpose, period”, warns Xylitol, highlighting another typical threat: a remote control software now bundled on many POS systems.

Quite often such software is not up-to-date or lacks a strong password and represent an easy entry point for malware.

Email phishing can also be used in large-scale attacks. Criminals bet that a proportion of recipients will be using a POS terminal and then open an attachment or click on a malicious link.

The good news is that new POS technology with stronger encryption and a token system should be available soon. In the meantime, local authorities and business owners need to work together to provide customers with the security they deserve.

Author: Andrea Stroppa writes about security and technology for the World Economic Forum.

Image: An employee swipes a customer’s credit card through the card reader at a restaurant in Tokyo February 19, 2005. REUTERS/Issei Kato 

Don't miss any update on this topic

Create a free account and access your personalized content collection with our latest publications and analyses.

Sign up for free

License and Republishing

World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.

The views expressed in this article are those of the author alone and not the World Economic Forum.

World Economic Forum logo
Global Agenda

The Agenda Weekly

A weekly update of the most important issues driving the global agenda

Subscribe today

You can unsubscribe at any time using the link in our emails. For more details, review our privacy policy.

About Us



Partners & Members

  • Join Us

Language Editions

Privacy Policy & Terms of Service

© 2024 World Economic Forum