Legacy software vulnerabilities have created opportunities for hackers to steal credit card data and other personal information using tiny point of sale (POS) malware, according to research published by Forcepoint.
Researchers reportedly analyzed 2,000 samples of POS malware and found that many are handcrafted, written in assembly code and very small; thus, researchers aptly named the malware TinyPOS.
Of the samples analyzed, 95% were loaders used to distribute malware to systems. In addition, researchers found that system compromises can go months without detection due to the small code size (2.7kb). Though researchers suggested that protecting against these attacks is not difficult, the issue for many organizations is that they are using old, outdated POS software and hardware that can do a lot of damage.
The samples were grouped into four categories: loaders, mappers, scrapers and cleaners, wrote Robert Neumann, senior security researcher at Forcepoint. “The most probable initial vector would be a remote hack into the POS system to deliver the Loaders. Other options could include physical access (unlikely) or a rogue auto-update to deliver a compromised file to the POS operating system.”
That attackers are targeting POS systems is nothing new, particularly because they collect large amounts of personal data. Because of their vulnerabilities, Ryan Wilk, VP of customer success for NuData Security, a Mastercard company, said POS systems have long been a prime target for cyber-criminals.
“This latest credit card–stealing malware is extremely stealth and hard to detect, making some retailers even more vulnerable. Storing data securely is another basic security tenant. If merchants store credit card information offline and don’t encrypt it, it is sure to be stolen and abused,” Wilk said.
“However, once the credit card information is stolen, businesses can combat fraudulent online transactions through verification frameworks that can confirm the identity of users and prevent this type of fraud. Analyzing their online behavior, combined with hundreds of other identifiers that hackers can't imitate or steal, is the best protection against fraud, once the user data has been leaked.”