The holiday season is in full swing and once again we can expect to see a surge in cyber attacks targeting retailers and consumers. Research from the National Retail Federation shows that spending during the winter holidays outstrips retail sales during all other holidays throughout the year – combined! From Black Friday to sales in January, this is the most wonderful time of the year for retailers, and this trend will likely continue. A survey by RetailMeNot shows that consumers are expected to spend an average of $743 holiday shopping between Black Friday and Cyber Monday this year, a 47 percent increase from 2016’s average of $505.
Unfortunately, increased spending also makes this a wonderful time of the year for cybercriminals seeking a share of the action. But the good news is that by understanding the tactics, techniques and procedures (TTPs) of cybercriminals, there’s are lot retailers and consumers can do to remediate risk.
A few months ago, I wrote about both credit card fraud and account takeovers, two of the main areas of risk that retailers must be aware of. Here I’ll focus on a third, payment card systems risk. As more money flows, criminals have even more opportunity to acquire consumer credit card details. Analysis of one well-known credit card shop on the dark web reveals that over 93,000 card details have been added since the beginning of November. Hackers target retailers in two main ways: through Point of Sale (POS) systems and physical skimming devices.
- POS malware. Cybercriminals can develop or even rent malware that targets retailers’ POS software. Many new variants have emerged this year, including RawPOS and MajikPOS. Most of the infections from the latter were reported in the United States and Canada. A modified version of the Zeus banking trojan was also identified targeting POS systems, predominantly in Russia and Kazakhstan, and searching for and exfiltrating payment card Track 1 and Track 2 data to its command and control (C2) server. While Zeus can be executed remotely, groups operating the malware often need partners to help with various aspects of their operations, from cashing out to providing access to the devices themselves. Research on the dark web shows advertisements for both types of services.
- Physical skimming. Despite the prevalence of POS malware, physical skimming also continues to be a popular tactic often employed by less skilled fraudsters. Magnetic Strip Readers are available as handheld devices and allow users to make a digital copy of the data stored on a card’s magnetic stripe. The size of these devices continues to shrink making them hard to detect, and the price is relatively low at $100 to $500 which makes them quite affordable. Devices have now been developed to capture data from cards equipped with Europay, Mastercard and Visa (EMV) chip technology. Additionally, cameras concealed in lights above machines can be used to capture PINs and can be purchased for as little as $280. At the other end of the spectrum, Global Systems for Mobile communication (GSM) receivers are available for $1,000 to $2,000. GSM receivers transmit captured information via Bluetooth, so criminals can avoid returning to the scene and being caught.
So, what can retailers and consumers do to remediate risk from payment card system compromise?
Advice for retailers:
- Be diligent about your supply chain. Make sure your POS devices are protected and monitored regularly for suspicious activity, including the placement of skimmers. Regularly review the security controls of third-party vendors (particularly those who provide software for POS systems) and reassess controls each time the scope of a vendor partnership changes.
- Understand there is no silver bullet. Remember that no one tool will protect you. A layered, defense-in-depth approach is best. For example, if POS malware does infiltrate the network, to prevent lateral movement once inside, restrict workstation-to-workstation communication by using host-based firewall rules where feasible.
- Share information. Take advantage of sharing communities such as the Retail Cyber Intelligence Sharing Center (R-CISC) and InfraGard to help stay abreast of threats and trends.
- Plan ahead. Have a process in place to handle compromised customer accounts and use threat intelligence to track actors and understand their threat level.
Advice for consumers:
- Look out for skimmers. Avoid using payment or ATM machines in dark or obscure locations where criminals could easily place a skimmer without being seen. Look for wires or any other suspicious indicators that a payment machine may have been tampered with.
- Monitor your accounts. Regularly check your accounts for fraudulent activity and contact your bank immediately if you discover any suspicious purchases.
- Learn about the latest tricks. Stay informed on the latest fraud and scam trends by referring to some of the most popular sources for such information, including: StaySafeOnline, the FTC’s Scam Alerts and the US-CERT National Cyber Awareness System.
As spending during the holiday season continues to rise, so will interest in cybercriminals to profit from increased payment card activity. Fortunately, there are several ways we can work together to disrupt these activities, remediate risk and preserve what should be a wonderful time of the year for retailers and consumers.