Plenty of ink was spilled about the security (or insecurity) of point-of-sale devices when Target Corp. was breached last year. What wasn't so clear was what realistically could be done about it.
At the Black Hat USA conference in Las Vegas next week, NCR Retail Enterprise Security Architect Nir Valtman will demonstrate several specialized attacks he's created as proofs of concept as well as discuss preventative measures that could be taken by retailers and point-of-sale (POS) system vendors as well.
In an interview the week prior to his Aug. 7 conference session, Valtman said the research he'd be presenting was based on threat analyses he'd performed "trying to understand these malwares that harm or hack into point-of-sale endpoints, seeing what they're doing and how they can be protected by any means. And when I say 'any means' I mean including physical steps, or changes to the operating system, or things that can be done on the vendor side."
According to Valtman, one thing vendors could readily do to up their game is to use code signing -- creating a cryptographic hash value tied to a specific binary executable as a verifiable check against tampering. "If you have signed software, it will be very hard to inject unsigned code," he noted. "But, if you look at even some of the leading security companies -- not just point of sale vendors -- you'll see companies choosing what to sign and what not to sign. A lot of these programs run without being signed and without being obfuscated."
Valtman said many retailers use whitelisting --"in fact, some of them use whitelisting instead of antivirus" --but some whitelisting approaches use fairly weak algorithms so as to avoid making performance tradeoffs. Valtman has found ways to inject malicious DLL files onto POS systems, for example. Malicious DLLs can, of course, be memory scraping malware, and the Black Hat session will include a demonstration of just such an attack.
Nor is there a final solution for memory scraping offered by the retail industry's migration to the EMV (Europay/Mastercard/Visa) standard, which spells out global interoperability for POS and ATM systems using integrated circuit cards (chip cards) rather than the magnetic strip cards currently deployed in the U.S. "I know that chip and pin is more secure, probably, than just using magnetic stripes," Valtman said "Having said that, sometimes you can play with the configurations of the pin pad, call the pin pad in another way, and make it work in an unencrypted way. We have a lot of problems in the point of sale."
Valtman said retailers should shore up their overall defenses around POS systems and not just rely on POS vendors to make these systems airtight. Companies should put extra focus on data loss prevention, for example. "I don't care if someone tries to hack into the memory and scrapes the data on a POS," he added. "I do care if someone tries to exfiltrate this data."
Meanwhile, the industry is still trying to sort out just how big the threat is. After the storm of Target news, there's been relative quiet on the POS front this year, even though the U.S. Federal Bureau of Investigation released a confidential warning in January to select retailers with a confidential, three-page document that alerted them to potential Target-style POS attacks in the coming months.
For more on warding off memory scraping attacks, check threat expert Nick Lewis's update on Ram-scraping malware.