The US Federal Bureau of Investigations (FBI) has warned retailers to harden their defences against cyber-heists – particularly those that latch onto credit card details from shoppers, as apparently happened to Target.
The BBC reports that Reuters got its hands on the warning, which went out as a confidential report to large retailers.
The FBI reportedly said that over the past year, it’s seen about 20 cases in which data was stolen using the same type of malware as that inserted onto Target’s credit and debit card swiping-machines, cash registers and other point-of-sale (PoS) equipment.
The agency expects PoS malware crime to continue to grow in the near term, despite whatever mitigations law enforcement and security firms throw at it.
The profits are huge, and the PoS virus code is both too cheap and too widely available on underground markets for thieves to resist, the FBI said.
According to the FBI’s report, one copy of this type of PoS malware was found on sale for only $6,000 (£3,600).
That’s actually a bit pricey. I don’t know where they’re shopping, but they’re paying top dollar.
Cybersecurity consultants Group-IB back in September 2013 actually found booby-trapped bank card readers for half that price.
The ones they came across were bundled with a suite of money-stealing support services that offered to make fraud crimes a snap: $2,000 (£1,200) on a hire-purchase basis or $3,000 (£1,800) for those crooks who just want to buy the hacked terminals outright.
The FBI wasn’t naming names when it came to whose PoS systems have been ambushed, mind you, but the name Target is the one that’s ringing a lot of bells in that department these days.
A couple weeks ago, Target CEO Gregg Steinhafel told CNBC in an interview that there was malware installed on the retailer’s PoS registers.
We don’t know yet whether those rigged registers were behind the breach of Target’s (at least) 70 million data records (I know, I know, there were 40 million records originally thought to be stolen, then there was another clump of 70 million, but like Paul Ducklin has said, we don’t know if there’s overlap between the two data sets, so let’s echo his “at least 70 million”).
But it wouldn’t be terribly surprising if those hacked PoS systems were the means by which the thieves got to the vast universe of Target customers and guests.
As SophosLabs researcher Numaan Huq describes in this Naked Security article, this type of card fraud is ripe for setting us up to get card data plucked from our hands if we so much as pull out the plastic to pay for one measly candy bar.
In fact, “Buy candy, lose your credit card” is the name of a 2014 RSA security conference session in which Numaan and Chester Wisniewski will be presenting a paper on the industrialization of this type of card fraud, in February.
The subject of the paper and the presentation is one specific type of PoS malware called RAM scraping – very interesting stuff that gets into the nuances of how data is most definitely not encrypted end-to-end in PoS systems, in spite of their being compliant with the payment card industry’s data security standards, PCI-DSS, and how RAM scraping takes advantage of that.
What’s the best approach to keeping your card data safe?
Like the FBI most likely detailed in its confidential report and Numaan absolutely did advise, businesses both big and small need to invest in protecting their critical PoS infrastructure.
As consumers, we should proactively sign up for credit monitoring so we can stay on top of our identities before they’re stolen out from under us, he also recommends.
And when it comes to paying for that candy bar, should you perhaps: a) not buy it? Sugar’s bad for you! Or maybe even b) think about using that relic we call cash?
What do you think? Have you been hit by the Target or any other PoS breach? I’ve had to cancel one card in the past week, myself.
Please feel free to share your own personal breach story below, and do let us know how you’re handling the recent rash of PoS theft, whether it’s with credit monitoring services, paying cash or any other measure.Follow @NakedSecurity