15
Apr 15

POS Providers Feel Brunt of PoSeidon Malware

“PoSeidon,” a new strain of malicious software designed to steal credit and debit card data from hacked point-of-sale (POS) devices, has been implicated in a number of recent breaches involving companies that provide POS services primarily to restaurants, bars and hotels. The shift by the card thieves away from targeting major retailers like Target and Home Depot to attacking countless, smaller users of POS systems is giving financial institutions a run for their money as they struggle to figure out which merchants are responsible for card fraud.

Image: Cisco.

Image: Cisco.

One basic tool that banks use to learn the source of card data theft involves determining a “common point-of-purchase” (CPP) among a given set of customer cards that experience fraud. When a new batch of cards goes on sale at an online crime shop, banks will often purchase a very small number of their stolen cards to determine if the victim customers all shopped at the same merchant across a specific time period.

This same CPP analysis was critical to banks helping this reporter identify some of the biggest retail breaches on record in recent years, and it is a method heavily relied upon by law enforcement agencies to identify breach victims.

But the CPP approach usually falls flat if all of the cards purchased from the fraud shop fail to reveal a common merchant. More seasoned fraud shops have sought to achieve this confusion and confound investigators by “making sausage” — i.e., methodically mixing cards stolen from multiple victims into any single new batch of stolen cards that they offer for sale.

Increasingly, however, fraudsters selling stolen cards don’t need to make sausage: The victims that are leaking card data are already subsets of restaurant franchises or retail establishments whose only commonality is the branded point-of-sale device which they rely upon to process customer card transactions.

NEXTEP

Card breaches involving POS devices sold by the same vendor are notoriously hard for financial institutions to diagnose because the banks very often have a direct relationship with neither the POS vendor nor the breached restaurant or bar whose customers’ cards were stolen.

nextepWhat’s more, POS-specific breaches frequently tie back to a subset of customers of a POS vendor who in turn rely on local IT company to install and support the POS systems. The commonality among breached restaurants and bars tends to be those who have relied on a support firm that invariably enables remote access to the POS systems via tools like pcAnywhere or LogMeIn using the same or easily-guessed username and password across many customer systems. Once remotely authenticated to the targeted systems, thieves can upload malware like POSeidon, which is capable of capturing all card data processed by the victim POS.

A few weeks ago, this reporter broke the news that multiple systems run by POS vendor NEXTEP had experienced a breach. The banks were only able to pinpoint NEXTEP systems as the source because the overwhelming number of merchants impacted in that breached happened to be NEXTEP customers who also were part of the Zoup chain of soup restaurants.

“You may have seen the discussions of the ‘PoSeidon’ malware that specifically targeted point of sale systems,” NEXTEP CEO Tommy Woycik said in a follow-up email. “Within thirty-six hours of the point that we learned of the problem we were able to internally use our resources to block further data compromise with most of our customers.  We retained and worked with two different sets of consultants to fix all remaining problems and to evaluate, on an ongoing basis, the effectiveness of the fixes.”

Woycik said the company also is investigating why the vast majority of its customers had no compromise of information, but that the hack was limited to a few identified locations. Part of the problem was that some of the breached locations relied on point-of-sale management firms that refused to cooperate in the investigation.

“We have been somewhat hampered in our investigation because some parties involved in the locations that we believe may have been affected have been unwilling to provide us with critical data,” he said.

Bevo POS

More recently, KrebsOnSecurity has heard from multiple banks about suspicions that systems sold and maintained by another POS vendor – Naples, Fla.- based Bevo POS — was likely the source of fraud for more than a dozen restaurants and bars in and around Florida.

bevoReached for comment about these allegations, Bevo POS CEO Onur Haytac responded by acknowledging that a very small subset of its customers were indeed the victim of PoSeidon.

“Was Bevo POS ever breached?  No, however, Windows was. Bevo POS is Point of Sale application (not cloud based) that is both PCI compliant and encrypts all credit card data,” he explained. “The malware identified, PoSeidon, which pushes itself with DLL injection and backdoor Trojans, is a keylogger with memory scraping that breached Windows, and as I’m sure you are aware, Microsoft’s security essentials anti-virus and windows updates do not recognize or stop many of the newer more unique threats. The same day we were alerted to a possible compromise, our engineers found an executable that had been recently installed in Windows at that location, called ‘Winhost.exe.’”

According to Haytac, the company learned of the incidents on March 15. He said the breach occurred with memory scraping as the data passed through while Windows was sending the data to the Bevo application, basically capitalizing on a ‘millisecond gap’ between the systems.   

“A mere 0.26% of customers (13 out of 6,500) were effected and we not only identified the malware within 24 hours (5 days before it was publicly reported by the security experts), we had created a PoSeidon killer tool, and swept every customers machine within a week.  Actual Windows breaches of our customers only occurred over a two day period.”

Haytac said the most frustrating aspect of the ordeal so far is that all of its customers have some form of Windows anti-virus software and that none of these applications were able to recognize the malware. 

“So to prevent future possibilities of this ‘gap’ in the system being tapped again by relentless hackers, we have made an agreement with Comodo to create a new-age containment software that includes anti-virus,” he said. “We are pushing this to all our customers, closing the gap between these breach techniques and Windows OS. We are due to ship this weekend as we are in final stages of testing. Windows is obviously not our product to protect, however our customers are, so we are doing it regardless and without cost to them.”

RESCATOR REVISITED

For several months following revelations that fraudsters had stolen 56 million cards from customers of Home Depot, the card shop principally responsible for selling those cards — Rescator[dot]cm (the same hackers thought to be responsible for the Target intrusion) — inexplicably stopped selling new cards stolen from main-street merchants and retailers.

This hiatus continued for an unprecedented six months until March 10, 2015, when Rescator and his merry band of thieves advertised the “American Dream” batch of credit cards. Days later, the Rescator shop pushed out millions of cards in rapid-fire batches variously named “Breakthrough,” “American Dream,” “Imperium Romanum” and “Spring Awakening.”

One of the many newer "dumps" batches added to the Rescator fraud shop in recent weeks.

One of the many newer “dumps” batches added to the Rescator fraud shop in recent weeks.

Multiple financial institutions contacted by this author purchased handfuls of their cards from these batches, but were unable to find a single common point-of-purchase among any of them. However, each bank said they saw within each batch a strong preponderance of small restaurants and bars that they’d been watching for months as a suspected source of stolen cards. The banks reported to KrebsOnSecurity that the bulk of these establishments are centered around cities in Colorado, Texas, Florida and the Washington, D.C. metropolitan area — including Virginia and Maryland.

BRIAN’S DUMP

The above-mentioned trend away from selling cards stolen from major retail chains toward attacking smaller bars and restaurants is hardly unique to the Rescator shop. Earlier this year, several security experts pointed out that a relative newcomer to the fraud scene — a card shop that markets its wares by capitalizing on the name and likeness of this author (briansdump[dot]ru) — also was pushing fairly large batches of stolen cards onto its shelves.

An advertisement for the carding shop "briansdump[dot]ru" promotes "dumps from the  legendary Brian Krebs. Needless to say, this is not an endorsed site.

An advertisement for the carding shop “briansdump[dot]ru” promotes “dumps from the legendary Brian Krebs.” Needless to say, this is not an endorsed site.

KrebsOnSecurity worked with three different banks who each acquired multiple customer cards from all of the batches of cards that showed up for sale on Briansdump. Eerily enough, all of the merchants identified were from small restaurants and bars in and around the Washington, D.C. area, the hometown of Yours Truly.

OTHER SOLUTIONS

Security vendors have long recommended “end-to-end” or “point-to-point” encryption products and services to sidestep threats like PoSeidon. The idea being that if the card data never traverses the local network or point-of-sale device in an unencrypted format, any card-stealing malware that makes its way to the point-of-sale systems will have nothing to steal but worthless gibberish.

The problem is that many merchants — particularly smaller ones — don’t seem particularly interested in or incentivized to invest in these technologies, which tend to require more up-front costs and on-going maintenance fees to security vendors, said Rich Stuppy, chief operating officer at Kount, a payments security firm based in Boise, Idaho.

“It’s a fundamental redrawing of how the bits are transmitted, and that also tends to redraw a lot of power into another end of the network, either to a card brand or to a point of sale company, and it dramatically changes who’s got the power in this situation,” Stuppy said.

As for why more smaller merchants don’t turn to solutions like point-to-point and end-to-end encryption, Stuppy said it’s a numbers game that favors the attackers.

“I think the bigger [merchants] could maybe put up the fence around this such that it gets harder and harder, but the little guys aren’t going to do that. With these widely distributed point-of-sale systems, the bad guys are looking to just plug in the malware once, and it doesn’t matter if you have to get the big guys once to get 50 million cards, or you have to get 1,000 cards from 50,000 compromised merchants.”

For a deep dive into PoSeidon malware, check out this Mar. 25, 2015 blog post from researchers at Cisco.

Tags: , , , , , , , , , , , , , , , ,

71 comments

  1. Would seem that both October and fully tokenized transactions can’t come soon enough!

    • But be clear that EMV compliance (i.e. chip cards coming in October) and “tokenization” are different things.

      If I understand correctly, the only thing that’s tokenized today is Apple Pay. The non-U.S. chip cards are not tokenized, and I don’t think that the new ones coming will be.

  2. LOL briansdumps
    I was laughig too hard

  3. Re: BRIANSDUMP

    Brian, please don’t move to Texas :-)

  4. I love it Briansdump[dot]ru, now that’s funny.

    A lot of those credit card numbers in those dumps are also coming from from phishing scams because people on the internet are just handing over their PII’s to the scammers without even thinking about what they are doing.

    • Err…phishing over the internet does not produce dumps, which is information taken from the mag stripe off the back of the card. The most phishers can take from individual users is data that’s only useful for online fraud (name, address, card number, expiry, CVV).

      • I’d like to punch your source in the face, Brian. The reason e2e isn’t implemented across the board, is because the banks / acquirers charge a per transaction fee to have e2e encryption. The banks could provide it by default, especially when we are talking about smaller shops that rely on full package POS systems, but they don’t. Since merchants have no real liability for fraudulent transactions (other than a PR hit if breached significantly), it is near impossible to justify to the BoD that they should give up a portion of EVERY [credit] sale to mitigate a “what if.”

        And why should the banks care? They don’t take the PR hit for the merchant, and they just pass the cost of fraud right back to the consumers.

        I’m going to keep beating the drum on tokenization and e2e, but it’s not going to matter unless there is a liability shift, or breaches become an every day occurrence, and merchants suck it up knowing that it is only a matter of time. But when you are talking about yanking $2M off the bottom line, it just won’t happen with out an eminent threat. (And that $2M is what it would cost our company, and were a regional retailer with razor thin margins.)

        • I don’t disagree with anything you said, apart from the imagined violence against the quoted person. I agree that the entire credit card system is set up to spread the risk away from MC and Visa to all of the rest of the players.

      • Donald J Trump

        Sorry my freind , but you may be wrong here, since I personally have seen phishing dumps and they include everything from birthdays to social security numbers besides the credit card information (cvv, 16 digits numbers , expirations date).

        Let’s just say that years ago I found a easy way to break into phishing sites that where being exploited on legitimate websites , taken over by the hackers.

        I’ve seen the contents , of the large txt files that where sitting on the hosting accounts.

        Regardless if the stolen informtion comes from the magnetic strip or is given up by the victum it’s still contained in a central location in large volumes which in my opinion is a “dump”

        • Cool story.

          Unfortunately you have still demonstrated that you have so little knowledge about what is being discussed that you appear to be inventing definitions to cover the fact that your own don’t agree with knowledgeable people in this field.

          It’s basic stuff and you clearly are not even at that level … so maybe cease embarrassing yourself more by inventing the fantasy world where your a hacker lel?

  5. “Haytac said the most frustrating aspect of the ordeal so far is that all of its customers have some form of Windows anti-virus software and that none of these applications were able to recognize the malware. ”
    What are the names of the anti-virus software that could not find the virus, inquiring minds want to know?

    • Probably all of them initially. The bad guys take their malware/virus etc. program and test it against all the big anti-virus programs before they release it, to make sure it can’t be detected (and modify their programs if needed until nothing detects them)….then they let it go out and nothing detects it.

    • I am not sure if Comodo offers a product, but whitelisting is the easiest way to really defend against such threats. That is what we utilize on our registers and servers. If an application isn’t authorized to run, it can’t start. You have to explicitly allow applications permission, and most allow you to also tailor what the application has permission to do. It can be a pain to setup, and sometimes maintain, but it works very well. And you can’t just rename a piece of malware to an allowed name, because the whitelisting app keeps a record of the file’s hash, so if it changes, it cannot run.

      It is not foolproof, but is far better than AV. AV is an out-dated technology.

      • Basically AV is blacklisting technology, looking for programs on the list that aren’t allowed to run.

        Whitelisting is promising, and actually doesn’t require third party software at all for Windows systems (you can just use software restriction policies built into active directory, though it can also be implemented on a per-system basis since local system policies are equivalent). Whitelisting is still a pain, but with central management theoretically you only have to whitelist most of your programs once and then only update as programs get updated. If you centrally push out your programs (again possible through AD) then you can time the whitelist updates with the program updates. Still a lot of work, but a lot less work than doing the same things multiple times on a per-system basis.

        Honestly I don’t know why any POS vendor wouldn’t have implemented this already, it’s already in the OS, waiting for them to use it.

      • White listing can and has been compromised. Check with all the players that program, any number on the hashmark can be changed, has been changed and will be changed. Just out of this article reread the reference”winhost” was unrecognized as bad, how? The hashmark. All the av software does is run the hashmark against a known hashmark; they don’t run the program, and look at the results. You would never finish an if scan Iv scan if you ran the program and check it against what happens. You need your system for the sale today,now, not tomorrow.

        • The whole point of whitelisting is to only allow known applications to run.

          Not check unknown applications like a traditional AV.

          Where is an example of whitelisting being compromised?

          • As of right now, I didn’t find any advisories allowing the whitelisting to be changed in a whitelisting app (Bit9 or Lumension® Application Control; I’m not saying it’s possible or not). However, compromise of the computer system running the whitelisting app may be done and thus the whitelisting app could be affected (remote control of the whole system with access to change the whitelisting app) or indirectly (malware).

        • How would it get around whitelisting not noticing some kind of change to the file and blocking? The one we used can’t even copy an allowed file and still run it.

        • I agree with the replies to your comment—what you’re saying doesn’t seem to make sense. But I’m wondering if what you intended to say was a little bit different:

          Are you talking about editing the virus so that it has a hash matching the hash of a whitelisted app?

          If so, that’s theoretically possible but depends on (1) knowing the hash function being used by the whitelist manager (2) the hash function not being cryptographically secure (i.e. actually being a fingerprint, not a hash) and (3) knowing an app that is in the whitelist already so you can match its hash.

          If this is *not* what you’re talking about, then please explain.

          • I would guess that if an application that was already whitelisted was compromised, and said compromise allowed for privilege escalation, then one could then add arbitrary programs to the whitelist.

            However, if the whitelist is centrally managed, then the individual who was running the compromised whitelisted executable would need to have sufficient rights to make changes on the central management system. Otherwise whatever changes they made wouldn’t be permanent, and would just get nuked the next time the management system updates the clients.

            It’s certainly a possibility, but you can’t even do it by spawning a child process from the original whitelisted process, since then that child process wouldn’t be whitelisted.

            I don’t look at whitelisting as a panacea that will cure all ills, but as one element of defense in depth it certainly is a step forward.

  6. Point-2-point encryption is the way to go. Our POS vendor recently implemented it and I certainly sleep better at night.

    • Yeah its dandy if you can find it, very few vendors have it and if there is any kind of internal processing it makes it even harder.

  7. Vendors refusing to help in the event of a breach of a client because they think it isn’t them?

    Hey Vendors: You don’t want to work with me the customer when I have a breach? Good bye! I won’t be doing business with anyone who hinders my company trying to find the issue and fix it.

    I’ll be sure to write this into all future contracts.

    • Hehe – yeah well good luck making any money without our equipment, loser. I think you forget who has the power in this relationship and you’d do well to smarten up and remember it.

  8. Great article Brian. Couldn’t agree more Robert… provided the original list of stolen apple IDs aren’t still circulating- with account holders who never changed their passwords.

  9. Great article Brian. Couldn’t agree more Robert… provided the original list of stolen apple IDs aren’t still circulating- with account holders who never changed their passwords. then again, having back up verification procedures in place at the FI should hinder any issues.

  10. I love that “Was Bevo POS ever breached? No, however, Windows was. Bevo POS is Point of Sale application (not cloud based) that is both PCI compliant and encrypts all credit card data,” If you’re encrypting it properly this can’t happen. Likely encrypted by software on the windows PoS device. What’s the point of that? It’s still in memory!?! This is useless and shows the CEO doesn’t know anything about protecting data! What a waste of time and money for “encryption”.

    • Um OK but the point still remains that no program is safe from a Windows Administration account and they do not make Windows nor provide services related to Windows.

      All in all the guys response seemed to be pretty good in my opinion, I have no idea why you’re lambasting him.

  11. Have there been any exploits on dial-up credit card readers/devices?

    Also I wonder if the firmware and OS on older POS devices can even be updated to incorporate these fixes. A lot of them run an OS version of “Windows XP lite” (POSReady 2009 or XP embedded) which Microsoft still offers extended support until 4/9/2019.

    These devices run out dated versions of Java (Java 6) and cannot support more secure ciphers/TLS versions. The peripheral devices plugged in such a s scanners, cash drawers, card readers, etc. are equally vulnerable.

    Seems like a pretty profitable time to be a POS hardware vendor.

    • Brian… I would like to know the answer to Nancy’s question “Have there been any exploits on dial-up credit card readers/devices?”

      Also, what do you feel is the most secure method of processing payments ???

      • Sterling Augustine

        Also, what do you feel is the most secure method of processing payments ???

        Cash, Cash, or Cash.

        You can’t get hacked or your identity stolen when you use paper or metal money/coins.

        Will your life be more cumbersome without the convenience of credit cards, sure but which would you prefer.

        • Easy: CARDS. Because I’d rather *not* risk ending up badly mauled (or DEAD) just because some guy who doesn’t mind getting a little “physical” happened to be lurking near the register and saw me pull a wad of bills out of my purse to pay the dinner tab or bar bill.

          • If he’s lurking there watching what you pull out of your wallet it probably doesn’t matter much.

        • I thought about that too, but I was reminded of the much higher incidence of robberies before credit cards became the preferred medium of exchange.

    • There were pos hacks with dial-up. Thru redirects, you know, call forwarding. Someone actually had to touch the wires, interrupt the line, forward the calls to a third party to copy,and redirect .. Just like the cops, did in the thirties, crime shows. In the 90’s, some of the security was callback by the card companies, off trunking, and tone injection, and pos screen presentation to detect the third parties. Seems we had security visits more often, or maybe we had just interested security then.

  12. “The problem is that many merchants — particularly smaller ones — don’t seem particularly interested in or incentivized to invest in these technologies…, said Rich Stuppy, chief operating officer at Kount, a payments security…”

    Also, a customer has little (more like no) designation at a POS of whether to use or not use a credit card at any vendor location. There’s no placard designating the security level of a POS. If the customer goes by the Mastercard, Visa, American Express logo as any level of security, the past says: Breachable or breached. Personally, I trust that a POS is breachable/breached and wouldn’t use a credit card, because even if it has end-to-end encryption I as a customer am not going to spend the time to find out whether it has the feature and the POS has no placard to quickly designate whether it’s a more or less safe POS.

    This is like phishing via POS–to use a credit card and find out later whether these bits of PI are lost by the biz, or not. Not only could the PI be used for financial fraud; but the PI may be used to track down where people frequent, and be used to potentially ‘physically’ target people.

  13. It’s not clear to me if the POS vendors are selling packaged systems with a dedicated Windows box. If the customer is not allowed to install any of their own software, this would seem to be a prime application of Antivirus Whitelisting to catch any new an unknown malware.

  14. I love the quote from Onur Haytac: “Was Bevo POS ever breached? No, however, Windows was. Bevo POS is Point of Sale application (not cloud based) that is both PCI compliant and encrypts all credit card data.”

    Well, Mr. Haytac, a breech occurred on your watch so you should take responsibility for it. Maybe we should just say that any POS system the runs on Windows is not PCI compliant unless the data is encrypted by the card reader.

  15. While challenging on general-purpose Windows machines, a specific-use terminal like PoS seems like a great place for some application white-listing.

    • I second this and have wondered for some time whether or not this technique has been implemented at some of the big retailers. Has it been tried on POS terminals and proven ineffective or what is the deal.

  16. The only way posedion has been put in place Would have been Logmein.com. I bet all of these pos companies are using Logme in for remote support. They need to understand to turn on their 2fa to be able to eliminate the breach. It is really not the breach of anything but a careless act or ignorance on either the pos company or the customer side who is using the Logme in to manage their store.

    Yes encrypted swipe would have fixed all these issues. But then why the hag PCI is not making it mandatory? Let me tell you why. The Magtek card swipe with encryption goes for $400. How many businesses you know who wants to pay that? Or even able to afford it when it is the only thing they know is square app?

    • Where in the heck are you looking to buy your MAGTEK card swipe from? I have seen them for way less with encryption.

  17. This is serious business but OMG I was laughing so hard at the logo for briansdump.ru

    They might be slime balls but you can’t fault their sense of humor…

  18. What really baffles me about all this is why are these card shops being hosted on the clear web? With all the major news stories focusing around the NSA cracking in on darknet markets like Hydra, Silk Road, Silk Road 2.0, etc., how are places like Rescator not being nabbed? They aren’t even hiding behind onion routers. Why is it that you always hear about darknet markets being raided and seized but these clear web carding shops are never in the news? Apart from your reporting Brian, which is great. I know some of the major card shops are underground, but it seems like a lot of them aren’t. Just curious if they are leveraging the fact that they live in places like the Ukraine and Russia where they are presumably “safe” from FBI and the NSA? How does the NSA not sniff the traffic going to these sites and figure out who is buying these cards? Brian, I’d enjoy reading a story about how these sites and seized and nabbed, and what happens next if the perpetrators aren’t exactly like DPR…

    • You bring up some interesting questions. I would look to a post in the not-so-distant-future on this blog about that. :)

    • Jethro, I suspect there’s more money (budget) to be made chasing criminals that preventing/stopping them. No financial incentive to have less crime.

      It’s like the insurance/medical industry, more money to be made treating people than prevention/cure. No financial incentive to have healthy people if you profit from servicing the sick.

    • Hiding yourself on the internet is not hard sir so I’m unclear as to why you seem astounded.

      Paying for a VPN using so called pseudo-anonymous currencies such as Bitcoin that will not co-operate with law enforcement (or anyone else) is simple.

      It’s also possible to simply use the Tor network securely for many tasks such as administering servers via SSH.

      Many people seem to get caught by making the mistake of allowing parts of their “real” identity to become associated with their “anonymous” identity.

  19. face it: the mag stripe credit card business is pwned.
    Game over.

  20. Why is it that the apparently largest threat, based upon their briansdump[dot]ru, to these criminal scumbags is a civilian blogger? What are we paying many tens of billions of dollars annually for our “national cyber defense” infrastructure for? The creation of construction jobs in Utah?

    • The US government could end all of this criminal activity if they wanted too, just like the banks could slow it way down if they cared. The NSA doesn’t care about computer crimes because they also carryout computer crime – against Americans everyday. Gangsters leave each other alone as long as they don’t try to get into each others territory.

      • Absolutely dead on correct!

        This is the single biggest reason that civilians (the average user) shouldn’t be so willing to play ‘their’ game. They might have the guns, but we have the numbers.

        • YES! Let’s all play “pile on”, and CRUSH them with the sheer weight of our dead, bullet-ridden bodies!

    • Oh I doubt that Brian is considered the largest threat.

      However perhaps he is considered the public face of the opposition to their thievery 😉

  21. Again…. go cash young man, go cash.

    • When you’ve had your head bashed in because some guy who doesn’t mind getting a little “physical” just happened to be lurking near the register and saw you pull out that wad of cash to pay the dinner tab or bar bill, then please do come back and tell us how being mugged was far less traumatic than having your credit card data stolen. I’ve experienced both, and if forced to choose, as it seems we all are these days, I know which one I prefer.

      • EstherD…. with a name like that go admit you are crazy.

        Go cash young man….. Go cash. Must I repeat myself?

        Losing your cash is the best thing that can happen to you today. Lose your identity and you will know which is far worse, a credit card hack or cash.

        Some people prefer to be stupid all the time, like EstherD.

        • Rick Blaine… a perfect username for someone stuck in the past, who apparently thinks the Vichy regime still controls Casablanca. Hint: When cash is stolen, it’s 100% gone — NO chance at recovery. “Use cash” divas like you are the security world’s equivalent of birthers. Please go away…

  22. This is obnoxiously nitpicky of me, but:

    “A mere 0.26% of customers (13 out of 6,500) were effected and we not only identified the malware within 24 hours”

    Doesn’t add up. 0.26% of 6500 comes out to 16.9. 13 is 0.26% of 5000, and 13 is 0.20% of 6500.

  23. What I don’t understand with this latest rash of POS attacks is why the POS companies (and the larger companies for that matter) don’t do one simple change: push harsh firewall rules onto the machines. The POS clears its transactions with a very limited number of servers, the POS manufacturer or management company is the only one that needs remote access to the machine, and possibly allow direct access to Microsoft’s update servers (for Windows based POS terminals, otherwise the similar servers for the OS in question). If the machine can only communicate with a handful of IP addresses, the malware can’t reach the C&C server.

    Alternatively, as part of the sale package, include a small firewall appliance (there are a few that cost less than $100 which could protect all the terminals in the whole store). The appliance will do the same thing but it also avoids the chance that the malware can disable the firewall. It’s a one-time setup so it doesn’t require ongoing maintenance (Microsoft and the banks are not likely going to change their IP addresses anytime soon).

    For larger places like Target, they didn’t even bother isolating the POS network from the rest of the store network as they should have done. That would have been a relatively inexpensive fix (compared to the fallout) at about $5k per store (a few enterprise switches, enterprise firewall appliance plus an extra network interface on the main store router).

    • That’s an additional step required but still not a barrier to anyone with Administrator level priviledges though in the case of software firewall rules anyhow.

      • Yes, a software firewall would be a little harder to protect from some of the malware but a hardware firewall would be much easier. The malware couldn’t reach it to change any of the rules. For most of the stores using POS terminals, they really don’t need admin privileges so don’t give it to them.

        • To a the largest degree (as an added security), I agree; until, the admin credentials are compromised (high level network compromise; it may happen). So, even whitelisted-routing could be compromised (under certain insecure practice); but it’s a higher barrier to compromise.

          The mention in the article about relying on antivirus makes me cringe at the level 0f security of the Bevo POS setup.

  24. Hi Brian,
    I’d like to see an article (perhaps ongoing/updated list even) of the following:
    1. What the different types of card security exist from most secure to least secure
    2. A list updated (perhaps quarterly/yearly) of what banks/companies/card companies offer cards in each “card security level” from point 1 above.

    I read so many blog comments where people mention or argue or comment about various card / chip types that I’m just confused and don’t know what to think of a local bank offering a chip card.

    If I could point to a single page of succinct info, I’d be glad to hound my bank/credit union/merchant etc to move their offerings higher up the “point 1” security offerings.

    (And it’d save you and everyone else from rehashing comments on “A” is better than “B” except if e2e isn’t enabled….yada, yada, yada.)

    So how about a little help for us normal consumers?

    Thanks for all the help!

  25. I am speechless in awe of the awesomeness of that BriansDump.RU image :)

  26. Look…. the simple fact of the matter is I talk to a lot of people as cashiers, customers and anyone using plastic ie credit cards.

    To a one they are all petrified when they use their card. Think about that. Sooner or later they will dump the card and go for cash….. as they should.

    Dump the card.

  27. KrebsonSecurityFan

    Over the past few months, I have used cash more and more and my debit card’s PIN only at my bank’s ATMs. On the few occasions that I have used my debit card at a POS terminal, I select “cancel” or “credit” so that the transaction is processed without a PIN. I expect to either sign a piece of paper or use a stylus to sign a touchpad.

    During this time, however; it seems to becoming more commonplace that NOTHING is required after the card is swiped. I have been told by store employees that there is a minimum monetary amount for the additional security check to occur.

    This minimum amount seems to vary by store. It seems to me that the “running the debit card as credit” option is just as insecure as a PIN since no signature or zip code or anything else is required for a transaction under $50, for instance.

    • The idea behind this was to make transactions easier for consumers when buying small dollar amounts and to still allow for a means of tracking card usage when a card is reported stolen or missing. I understand what your saying and ultimately agree. However, only an idiot would go through the effort to steal a card (or card information) only to end up buying a pack of cigarettes and a coke at a gas station with it. Although at this point, one could string together enough of these things and live like kings for a short time (if one doesn’t get caught in the process).

      • KrebsonSecurityFan

        “… the effort to steal a card (or card information) only to end up buying a pack of cigarettes and a coke at a gas station with it. Although at this point, one could string together enough of these things and live like kings for a short time (if one doesn’t get caught in the process). ”

        A common crime is to make small purchases with a victim’s bank or credit card account information and hope that no one notices.

        Someone that I know just had a thief attempt to make a charge of several hundred dollars at a gas station several hundred miles from where she lives. All that I’m thinking is what’s worth that much at a gas station.

        In the above case, the transaction was “Denied”. This brings me to another point: Is an attempted purchased such as above followed up on by law enforcement, financial institutions, etc. ? Old credit card readers at gas stations in the 1980s and 1990s used to have an LED read-out that could display messages such as “Reward For Card” or “Denied”.

    • Large stores have security cameras aimed at the swipe terminals. Perhaps they intend for that to serve as backup for investigations to find the users of counterfeit or fraudulent cards. A sort of post-deauthorization method that allows the store to give police detectives information for investigations without having to first find the real owner of the account that was compromised.

      Why not put digital cameras closer to the person using the card? The sensors and their lenses are these days very small, so there is no space-hogging reason to not have cameras inside POS stand-alone card terminals.

      How this would work :

      The camera continuously records but keeps only the few seconds before a card is inserted for reading and a few seconds after the card leaves the reader mechanism, whether it is to swipe the magnetic strip or to read the chip inside.

      If the person using the card tries to anonymize the transaction by covering the camera lens, the terminal refuses to read the card.

      This might help to scare off people who make counterfeit cards. It would increase the data-processing load seen by the card processor network. And it would also raise concerns about the storage of Personal Identifying Information, as it is already problematic that some retailers keep the data from the credit/debit cards as well as too much other information about their customers.

      Furthermore, images/video can be copied from one POS transaction and embedded into another transaction, falsifying the records.

      Criminals, vandals, and pranksters would however try to find ways to scratch the clear plastic cover over the lens with a small square of 400 grit sandpaper glued to a finger to fuzz what the camera sees, so the cover would have to easily replaceable by the store security.

  28. The main question is: when will there be malware for linux POS? Many think this will not happen, but I am quite sure there is already some in the wild (cant prove that)