A new FBI report warns the payment industry that more computer attacks designed to steal credit and debit card data at the point of sale are likely to occur for at least the next three to five years.
The report was directed to retailers, but by extension, has meaning for card issuers, including credit unions and card processors. The FBI said it did not report solely on its own investigations, but used the report to reference the work of the wide variety of federal security agencies at work on different aspects of the challenge.
“As the [Department of Homeland Security] report suggests, the growing popularity of this type of malware, the accessibility of the malware on underground forums, the affordability of the software and the huge potential profits to be made from retail POS systems in the United States make this type of financially motivated cybercrime attractive to a wide range of actors,” the report from the FBI's cyber division read. “We believe POS malware crime will continue to grow over the near term despite law enforcement and security firms’ actions to mitigate it.”
The FBI said that it had discovered roughly 20 incidents over the past year where software designed to steal card numbers had been introduced onto the POS terminals of U.S. retailers. It also indicated in the Jan. 17 report that programs designed to perpetrate these thefts have been seen on sale in underground criminal forums for $6,000.
The report identified six different malware packages that had been used in the 20 breaches or breach attempts and discussed four in detail.
BlackPOS is a malware package that infects computers running Windows that are part of POS systems and have card readers attached to them. According to the FBI report, once installed on a POS system, the malware identifies the running process associated with the credit card reader and steals payment card track one and track two data from its memory. One of BlackPOS’ weaknesses is not having an offline data extraction method but instead, having to upload captured information to a remote server via a file transfer protocol.
A malware package called Dexter appears to have been a test package that was run last October and November. This is a Windows based malware package that may have been the precursor to one called Vskimmer that is also aimed at Windows based systems, according to the report. Vskimmer also has a unique way of handling the task of getting the captured data back to the thieves. Researchers have determined that if a Vskimmer-infected machine is not connected to the internet, the program will wait until a USB drive with the volume name KARTOXA007 is inserted into the computer, and download stolen information to the USB drive, according to the FBI.
In the document's only bright spot, the FBI said the POS theft software had not infected POS terminals on its own, but had always been delivered subsequent to other breaches which were often made using well known and routine strategies. This suggested that tightening up on standard data security measures could play a key role in keeping the software off of POS systems.
“The POS malware is typically introduced into a system after the system has already been compromised. In other words, the POS malware serves as the payload as a result of the initial intrusion,” the report said. “The attack can take various forms, such as phishing e-mails, compromised websites and other common infection vectors.”
On the other hand, the data being captured in these breaches is of sufficient value to thieves that it will likely prompt persistent efforts to steal it and an increasing amount of resources devoted to that effort, the FBI said.
“The high dollar value gained from some of these compromises can encourage intruders to develop high sophistication methodologies, as well as incorporate mechanisms for the actors to remain undetected,” the report said.
The report's primary impact may be to spur the move to cards with embedded chips in them and which use the EMV standard, according to Randy Vanderhoof, executive director of the Smart Card Alliance, an association created to develop and promote smart card usage in the U.S.
“The report told retailers primarily but the whole payments system as well that the problems with magnetic stripe payment cards are here to stay and the whole payments system needs to finish the migration to EMV,” said Vanderhoof.
EMV is an open-standard set of specifications for smart card payments and acceptance devices. Cards with chips that conform to EMV contain embedded microprocessors that provide strong transaction security features and other application capabilities not possible with traditional magnetic stripe cards.
The smart card alliance points out that EMV cards store payment data in the card's chip where it cannot be easily compromised and is impervious to access by unauthorized parties. The microprocessor chip is used instead of the magnetic stripe during each EMV payment transaction and helps to prevent card skimming and card cloning, the most common ways magnetic stripe cards are compromised and used for fraudulent activity.
In addition, the chip provides the means to authenticate the card as genuine and generates a code, which can be authenticated offline or online, that ensures the transaction is genuine.
Further, each transaction uses a unique code that cannot be duplicated. This means that data cannot be stolen from a card transaction and used to create other, fraudulent, transactions, according to the Smart Card Alliance.
Vanderhoof said he was uncertain if a scenario where breaches are ongoing would be enough to break the logjam between issuers and retailers about going forward with the cards.
“We are in the situation now where thieves are targeting our payment system because we are the only developed world system that doesn't use EMV cards,” Vanderhoof pointed out. “They are going to continue doing so until we begin using them.”
Vanderhoof said what might push the overall payments system into using the EMV cards is the liability shift deadline of Oct. 1, 2015, adding it's “right around the corner.”
The alliance considers the October liability shift a key date because, as of then, liability for fraudulent transactions will move to the weakest link in the transaction. If a consumer uses a magnetic stripe in an EMV-capable POS terminal and the transaction turns out to be fraudulent, liability for that fraud loss will rest with the issuer of the original magnetic stripe card. However, if a user uses a magnetic stripe card for a fraudulent transaction on a terminal which cannot process EMV, the liability for the fraud will rest with the merchant.
“The liability shift is coming quickly,” Vanderhoof said. “I haven't heard of any of the card brands postponing it.”