State of New Jersey SealOFFICIAL SITE OF THE STATE OF NEW JERSEY

Point-of-Sale Malware: Continued Threat to Businesses and Consumers

NJCCIC Threat Analysis Report

Original Release Date: 7/27/2015

TLP: WHITE 

Summary

Point-of-Sale (PoS) malware breaches attracted wide media coverage throughout 2014 when at least thirteen major U.S. retailers suffered payment card data breaches, the largest affecting approximately 110 million customers. Although PoS incidents have largely remained out of the headlines thus far in 2015, payment card breaches have continued month to month and many new variations of PoS malware have been identified by law enforcement and security researchers. The NJCCIC assesses data breaches resulting from PoS malware will continue to occur at a steady pace throughout 2015 and pose a persistent threat to public and private sector organizations, particularly small to mid-size businesses that lack the cybersecurity resources to prevent, detect, and mitigate these threats. The industries most targeted by PoS malware include retail, food services, healthcare, education, and tourism. While the ongoing implementation of the more-secure Europay, MasterCard, & Visa (EMV) cards, also known as chip-and-PIN, is expected to mitigate PoS vulnerabilities and reduce fraud in the U.S., many retailers and cardholders will remain vulnerable until all EMV cards are issued and PoS terminals throughout the country are updated to accept EMV transactions.

Threat Overview

PoS malware is malicious software designed to steal credit and debit card data from retail payment processing systems. Since 2013, there has been a dramatic rise in the number of PoS malware variants, and the tools and knowledge to conduct these attacks are becoming more widely available through online criminal forums. Ready-to-use PoS malware kits and the widely reported success of previous attacks have made PoS systems an attractive target and lucrative undertaking for criminals across the globe. Additionally, the ‘swipe-and-sign’ process used to complete transactions has been in place since the 1970s and is inherently insecure.

  • Market research firms estimate that only 70 percent of U.S. credit cardholders will receive the new EMV cards by the end of 2015. Moreover, only 50 to 60 percent of PoS terminals throughout the U.S. are expected to be capable of accepting EMV transactions.
     
  • The new cards contain a microchip which authenticates transactions by generating a new digital signature each time the card is used. If criminals attempt to clone EMV cards, any transactions involving the use of the counterfeit cards would be denied due to the lack of a digital signature. However, until all PoS terminals are upgraded, even those with the new EMV-cards will continue to complete transactions with the traditional, and vulnerable, magnetic strip. A number of Western counties, including Canada, France, and the United Kingdom, have seen reductions in fraud since adopting the new EMV standard.

Traffic Light Protocol: WHITE information may be distributed without restriction.

Join & Subscribe

Never miss an update! Sign up for a no cost membership today! Receive up-to-date content and more in our weekly bulletin.

Sign Up

Featured Content

New Jersey Cybersecurity & Communications Integration Cell

2 Schwarzkopf Dr, Ewing Township, NJ 08628

njccic@cyber.nj.gov

OUR COMMITMENT

The NJCCIC is a component organization within the New Jersey Office of Homeland Security and Preparedness. We are the State's one-stop-shop for cyber threat analysis, incident reporting, and information sharing and are committed to making New Jersey more resilient to cyber threats by spreading awareness and promoting the adoption of best practices.

Agency Seals of State of NJ, NJOHSP and NJCCIC

STAY CONNECTED:

View our Privacy Policy here.

View our Site Index here.