What is POS Malware?


By John Connolly

While you might not be familiar with the term Point of Sale Terminal or POS, you undoubtedly know what one looks like. On nearly every store counter in the UK rests the bulky screen and till of a Point of Sale computer.

Used for everything from processing orders to taking card payments they are an essential part of the high street and vital for a number of industry sectors. POS machines are so common, that for those not behind the counter, they almost fade into the background of any typical shop scene.

But these systems represent big money and big business. Around 15 billion card payments take place in the UK every year, amounting to over £650 billion of purchases. Nearly all of these transactions flow through a POS system at some point. This makes them a lucrative target for hackers and criminals and why we are now increasingly seeing POS malware in the wild.

A POS attack follows roughly the same trajectory as regular malware. It infects the machine (usually running on a standard Windows or Unix installation) via malicious download, update or remote vulnerability and attempts to collect customer card details. To avoid the payment industry’s rigorous end-to-end encryption policies, POS attacks scrape the RAM of the target machine, the only place where payment information is decrypted. These details are then extracted by the malware creators to be exploited. As the information does not contain a CCV number (the 3 digits on the back of your card) the stolen details aren’t used to buy online but are instead sold to card forgers who use them for in-store purchases.

POS malware came to prominence in 2011 when hackers stole the details of 110 million customers from US retailer Target by infecting their till systems. More recently, clothing retailer Forever 21 was infected by the malware for over seven months in 2017 and in February security researchers Forcepoint uncovered POS malware that was using DNS traffic to exfiltrate data to a server in Switzerland. Just this month, malware was discovered at over 160 Applebee restaurants in the US. While these attacks are mainly based in the US to avoid the extra security of chip and pin, the increasing number of instances shows how potentially lucrative and popular these attacks are becoming.

Like any non-traditional attack surface there are a number of barriers to effectively tackling the POS threat. Users are often not trained to be aware of the security vulnerabilities the machines can face, which means malware can lie undetected for months and default passwords from installation run rife. Similarly, the largest customers of POS systems are small businesses who do not have the capital to properly address cyber threats and often do not even see cyber attacks as an essential concern. When POS vendors do not take security seriously too, businesses are left stranded by patches that never arrive.

While overcoming these difficulties represents a challenge, there are ways businesses small and large can protect their customer payment information. Much of the challenge relies on greater awareness – if businesses and individual users have a better understanding of the risks then the result will be less default passwords and greater vigilance. POS solutions can also do more to protect their systems by patching regularly,  installing endpoint protection on their machines and implementing whitelisting so only authorised users can access sensitive data.

But while POS malware is still mainly a peripheral concern and with credit card fraud still costing the UK economy as much as £193 billion every year it seems there is a lot more work to be done to fully protect customer information at the till.