Image of money register courtesy of ShutterstockThe US Federal Bureau of Investigations (FBI) has warned retailers to harden their defences against cyber-heists – particularly those that latch onto acclaim card details from shoppers, as actually happened to Target.
The BBC reports that Reuters got its hands on the warning, which went out as a classified report to large retailers.
The FBI reportedly said that over the past year, it’s seen about 20 cases in which data was stolen using the similar type of malware as that inserted onto Target’s credit and debit card swiping-machines, money registers and other point-of-sale (PoS) tools.
The agency expects PoS malware crime to continue to grow in the near term, despite whatever mitigations law enforcement and security firms throw at it.
The profits are huge, and the PoS virus code is both too cheap and too widely available on dissident markets for thieves to resist, the FBI said.
According to the FBI’s report, one copy of this type of PoS malware was found on retailing for only $6,000 (£3,600).
That’s actually a bit pricey. I don’t know where they’re shopping, but they’re paying top dollar.
Cybersecurity consultants Group-IB back in September 2013 actually found booby-trapped bank card readers for half that price.
The ones they came across were bundled with a suite of money-stealing support services that offered to make scam crimes a snap: $2,000 (£1,200) on a hire-purchase basis or $3,000 (£1,800) for those crooks who just want to buy the hacked terminals outright.
The FBI wasn’t naming names when it came to whose PoS systems have been ambushed, mind you, but the name Target is the one that’s ringing a lot of bells in that branch these days.
A couple weeks ago, Target CEO Gregg Steinhafel told CNBC in an interview that there was malware installed on the retailer’s PoS registers.
We don’t know yet whether those rigged registers were behind the breach of Target’s (at least) 70 million data records.
But it wouldn’t be terribly surprising if those hacked PoS systems were the means by which the thief got to the vast universe of Target customers and guests.
As SophosLabs researcher Numaan Huq describes in this Naked safety article, this type of card fraud is ripe for setting us up to get card data plucked from our hands if we so much as pull out the plastic to pay for one measly candy bar.
In fact, “Buy candy, lose your credit card” is the name of a 2014 RSA safety conference session in which Numaan and Chester Wisniewski will be presenting a paper on the industrialization of this type of card fraud, in February.
The subject of the paper and the presentation is one specific type of PoS malware called RAM scraping very interesting stuff that gets into the nuances of how data is most definitely not encrypted end-to-end in PoS systems, in spite of their being compliant with the expense card industry’s data safety standards, PCI-DSS, and how RAM scraping takes advantage of that.