New malware infects POS terminals

Seculert, an Israeli-based security firm, uncovered powerful new malware that targets POS systems. In a Sept. 11, 2012, blog post, Seculert reported that the so-called Dexter malware has infected hundreds of POS systems in 40 different countries worldwide over the last two to three months. Seculert said 42 percent of the infected POS systems are located in North America, with an additional 19 percent of the systems located in the United Kingdom.

Seculert does not know how Dexter targeted POS systems, but did note that over 30 percent of the targeted POS systems were running on servers that use the Microsoft Corp. operating system. Seculert called that percentage unusually high for "regular 'web-based social engineering' or 'drive-by-download' infection methods."

According to the security firm, the goal of Dexter is to "steal the process list from the infected machine, while parsing memory dumps of specific POS software related processes, looking for track 1/track 2 credit card data."

Mark Bower, Vice President at enterprise data protection provider Voltage Security Inc., said in a blog post that POS systems are often targeted by fraudsters. "POS systems are often the weak link in the chain and the choice of malware," he wrote. "They should be isolated from other networks, but often are connected. And as a checkout is in constant use, they are less frequently patched and updated and thus vulnerable to all manner of malware compromise. They often store cardholder data."

Bower said end-to-end data encryption (E2E) technology minimizes the risk from fraud schemes like Dexter. E2E technology encrypts payment data when a bankcard is swiped through a POS terminal. "If the POS is breached, the data will be useless to the attacker," he wrote. "The trick is getting it right so that even though the data is protected and secure, it's still compatible to the payment applications in the merchants' systems and in the POS itself."

With E2E technology, data is theoretically protected throughout the lifecycle of the transaction. Bower said merchants' security responsibilities from a Payment Card Industry Data Security Standard perspective are significantly reduced by E2E solutions. "When implemented correctly, this can dramatically reduce the cost of PCI compliance and solve huge risk challenges easily," he noted. "No data, no gold to steal."

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.