Although it’s still early in 2016, already we are seeing reports of point-of-sale (PoS) breaches around the world.
There was also recently a breach at the fast food vendor Wendy’s and it was reported that notes that the breach appeared to be related to the massive POS breaches that hit the retailers Target and Home Depot in 2013 and 2014.
This trend is likely to continue as the year progresses, due to a number of factors.
Why should we expect more POS breaches?
One, the pressure to adopt EMV technology will continue to draw attention. EMV (Europay, MasterCard and Visa) is a technical standard for smart payment cards and for payment terminals and automated teller machines that can accept them.
Although most statistics point to full EMV adoption not taking place until well into 2017 or 2018, attackers will be free to take advantage of retailers in the process of implementing these devices. Rushed or partial deployments that leave the PoS infrastructure unprepared to run EMV properly, along with customer and merchant confusion, will make this situation ripe for savvy attackers.
Two, attackers will continue to target ill-prepared PoS systems. Although the vulnerabilities are well-documented, organisations continue to struggle with their security hygiene, so that issues such as lax security configurations and weak passwords will leave many vulnerable to attack. As a result, cybercriminals will continue to breach PoS environments using variants of the same malware that we’ve seen used for past breaches.
Three, the continued use of unsupported popular PoS operating systems will also leave merchants vulnerable to attack. During the past two years, three popular Windows operating systems – two of which are directly related to many major PoS platforms (Win XP and XP embedded) – reached their end-of-life. The vulnerabilities of these systems are still being discovered, creating another dimension of IT security risk that many merchants are failing to consider seriously.
Four, mobile payments and e-commerce widen the threat window. New ‘card not present’ scenarios may present unfamiliar threats to organisations, and 2016 is likely to see an increasing number of threats targeting other types of payment systems.
Five, increasingly complex regulatory environments will present new challenges to merchants. We can expect to see more regulations, fines and other consequences associated with payment systems as the community responds to continued threats. This is something for every merchant or payment provider to consider, and it may be time to re-assess their security policies and ability to enforce these. Many who think they are not subject to the scrutiny of particular regulations and mandates may find they are now accountable.
Finally an increasing awareness of security will lead to more sophisticated PoS malware. As more merchants embrace the inevitability of cyber-attacks, malware authors will boost their efforts to stay under the radar and outflank security tools. New PoS malware will target different segments of an organisation’s environment that may be outside the conventional areas of attack.
While this approach is not as fast and easy for the attacker, it is generally more difficult to detect. Malware authors are taking advantage of known exploit vectors found across enterprise systems, as well as intelligence on what has worked against PoS and payment systems. Clearly PoS and payment providers will need to build allegiances and share information more than ever in 2016.
Christopher Strand, PCIP, Sr. Director of Compliance and Governance for Carbon Black