Credit Card Malware During the Holiday Shopping Season
December 21, 2015
A new point-of-sale malware has been discovered just in time for the 2015 holiday shopping season. The latest form of malware can steal credit and debit card information when a customer pays for their purchase. The malware, which is called ModPOS, has infected point-of-sale systems at national retailers, although the specific retailers have not been named publicly. Security researchers say that this malware is the most sophisticated point-of-sale malware to date because it’s a framework rather than one piece of software. The different frameworks combined can collect confidential financial information about customers, and information about retail sales systems. The malware can also figure out the personal log-in credentials of retail employees, including executives. The ModPOS malware has been around for two years, but it was hard to detect because it used encryption and file compression to hide itself from anti-virus scans. Reports also say that health care providers, hospitality companies, and payment card processors might also be affected by this malware.
Security experts have also warned retailers and consumers about another point-of-sale malware called Cherry Picker, which has been around since 2011. Cherry Picker infects a point-of-sale system and then scrapes cardholder information from the memory. Most point-of-sale systems encrypt cardholder data when it’s transmitted to the payment processor for approval. Cherry Picker exploits the fact that many point-of-sale systems don’t encrypt cardholder data that’s stored in the memory before transmission. This malware also uses encryption, command line arguments, and configuration files to avoid detection. Criminals can keep the personal information they have collected about customers for themselves, or they can sell the confidential data online to identity thieves.
Since December 2013, when the data breach at Target affected millions of holiday shoppers, consumers and retailers alike have been concerned about keeping their information safe. Retailers have created an intelligence-sharing program called the Retail Cyber Intelligence Sharing Center in an attempt to stay on top of cyber threats. Despite the creation of this program, consumers are still worried about their information being stolen and used for identity fraud. Some consumers are opting to only use cash at retailers in an attempt to avoid identity theft. A survey conducted by BankRate and Princeton Survey Research Associates International found that 39% of holiday shoppers are planning to use cash to pay for their purchases. Only 22% of shoppers plan to use their credit cards when making a purchase this holiday shopping season. This is problematic for retailers who want customers to sign up for their store credit cards. Consumers are hesitant to sign up for store credit cards because they don’t know if that data will be encrypted and protected. Retailers can show their customers that they are keeping their data safe by requiring identity verification before customers are allowed to sign up for a credit card. Retailers can give their employees a card scanner that can authenticate IDs from all 50 states. With a quick authentication tool, retailers can get customers to sign up for store credit cards while also showing them that they value identity protection.