Why cybercriminals love our PoS systems (and what we can do to stop the love)

post3PoS (Point of Sale) fraud and malware used to be little more than keylogging and screenscraping: retrieving credit or debit card details by registering the information that the customer enters on the keyboard and/or that appears on the screen. Nowadays the cybercriminals targeting PoS systems have a more elaborate and more advanced set of weapons available.

Modern weapons

The first big difference with the ‘days of yore’ is the emergence of PoS RAM scraping: malware within the IT system that the PoS systems are connected to will copy all data which are stored on the RAM memory of the PoS before these data are sent tot the central system and are cleared for the next working day. The copied data will reside somewhere in the system until they are ‘exfiltrated’ (remotely downloaded) by the cybercriminals, who have gained themselves access to this location. As soon as the credit card details are fetched by the cybercriminals, they can start checking their validity and monetizing the validated card details.

This advanced form of PoS hacking and fraud – a combination of infecting the system, scraping the card details and carefully maneuvering them towards a downloadable location – may seem exotic but this threat has recently become a lot more realistic and imminent. Last year alone, the number  of instances of new and/or derived PoS malware families has been as high as all previous years combined. And we can be quite certain that it will continue rising exponentially in the next couple of years.

PoS cybercrime is becoming big business and will go down the same road that we have seen for other forms of malware, selling the valuable data on a black market, whitewashing the money using money mules etc. And the variety of techniques and exfiltration routes will increase as well. We can therefore expect a lot of data breaches such as Target’s or Home Depot’s in the recent past. So what should we do to fight and mitigate these new forms of cybercrime?

Industry response

The good news is: the credit card and electronic payment sector itself is trying to mitigate the risk by introducing new technologies. The bad news is: not all remedies are equally effective. The RFID technology, for instance, that has been introduced on the EMV (Europay, MasterCard, Visa) cards for contactless transfer of card details, may seem like a good idea, but it won’t help at all when fighting Pos RAMscrapers: this type of malware exploits the data after they have been transferred from the card to the PoS, so the mode of transfer is irrelevant really. But it is harder to counterfeit those cards, so this new generation is not without merit.

More encouraging, though, is the innovation that has been highlighted with the most recent generation of Apple’s iPhone: the payment Tokenization technology used by Apple Pay to complete a payment transaction. This payment method uses a token to encrypt and send the financial details from your phone to the payment processing organization, your bank or some other form of financial institution. That way, intercepted data are worthless because only the final recipient can decrypt the information.

What can you do?

But aside from the technological innovations there are some measures that you yourself can take to reduce the risk of PoS cybercrime. On the hardware level, you can invest in a number of technologies, such as multi-tier hardware firewalls (to create a segmented network), two-factor authentication for remote access, and point-to-point encryption. On the software level, you can add file integrity monitoring tools and DLP software, but you must also make sure that your operating system and anti-malware software are continuously updated.

When configuring your system, there are also some considerations you should make. Make sure, for instance, that you change the default settings for e.g. passwords and keys. Eliminate whatever component (account, service, protocol, …) that you don’t use or need. Disable remote acces if it is not required. Use whitelisting to only allow approved applications to run. And implement a mechanism that notifies you when system components have been altered.

But the most important measures pertain to the company policy. Without an elaborate and well considered policy most of the measures above will be mostly useless. This policy should govern the physical access to PoS systems, but it should also include factors such as: PoS system repairs and upgrades, routinely deletion of stored cardholder data, restriction of the internet access on PoS systems, implementation of log and audit trails, and an automatic re-imaging every 24 hours.


PoS systems will remain a popular target for cybercriminals for years to come, and they will keep inventing new methodologies to gain access to the data stored on these machines. But if we keep collaborating, sharing information, and protecting our systems with the necessary tools and policies, we will most likely not discourage them from trying, but you may convince them to go look for easier victims.

Author: Frédéric Dohen

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.