SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Point-of-sale malware attacks still strong in 2016
Wed, 2nd Mar 2016
FYI, this story is more than a year old

Point-of-sale breaches continue to make headlines in the IT world, and according to Carbon Black, the trend isn't going anywhere in 2016.

Christopher Strand, PCIP, senior director of Compliance and Governance for Carbon Black, says there are a number of factors the are contributing to POS attacks.

1. Strand says the pressure to adopt EMV technology will continue to draw attention.

“Although most statistics point to full EMV adoption not taking place until well into 2017 or 2018, attackers will be free to take advantage of retailers in the process of implementing these devices,” he explains.

“Rushed or partial deployments that leave the PoS infrastructure unprepared to run EMV properly, along with customer and merchant confusion, will make this situation ripe for savvy attackers.

2. Attackers will continue to target ill-prepared PoS systems.

Although the vulnerabilities are well-documented, organisations continue to struggle with their security hygiene, so that issues such as lax security configurations and weak passwords will leave many vulnerable to attack, Strand says.

“As a result, cybercriminals will continue to breach PoS environments using variants of the same malware that we've seen used for past breaches.

3. The continued use of unsupported popular PoS operating systems will also leave merchants vulnerable to attack.

“During the past two years, three popular Windows operating systems – two of which are directly related to many major PoS platforms (Win XP and XP embedded) – reached their end-of-life,” says Strand.

“The vulnerabilities of these systems are still being discovered, creating another dimension of IT security risk that many merchants are failing to consider seriously.

4. Mobile payments and eCommerce widen the threat window.

According to Strand, new ‘card not present' scenarios may present unfamiliar threats to organisations, and 2016 is likely to see an increasing number of threats targeting other types of payment systems.

5. Increasingly complex regulatory environments will present new challenges to merchants.

“We can expect to see more regulations, fines and other consequences associated with payment systems as the community responds to continued threats,” Strand says.

“This is something for every merchant or payment provider to consider, and it may be time to re-assess their security policies and ability to enforce these.

Strand says many who think they are not subject to the scrutiny of particular regulations and mandates may find they are now accountable.

6. An increasing awareness of security will lead to more sophisticated PoS malware.

Strand says as more merchants embrace the inevitability of cyber-attacks, malware authors will boost their efforts to stay under the radar and outflank security tools.

He says new PoS malware will target different segments of an organisation's environment that may be outside the conventional areas of attack.

“While this approach is not as fast and easy for the attacker, it is generally more difficult to detect,” Strand explains.

“Malware authors are taking advantage of known exploit vectors found across enterprise systems, as well as intelligence on what has worked against PoS and payment systems,” he says.

“Clearly PoS and payment providers will need to build allegiances and share information more than ever in 2016.