A new FBI report warns thepayment industry that more computer attacks designed to steal credit and debit card data at thepoint of sale are likely to occur for at least the next three tofive years.

The report was directed to retailers, but by extension, hasmeaning for card issuers, including credit unions and cardprocessors. The FBI said it did not report solely on its owninvestigations, but used the report to reference the work of thewide variety of federal security agencies at work on differentaspects of the challenge.

“As the [Department of Homeland Security] report suggests, thegrowing popularity of this type of malware, the accessibility ofthe malware on underground forums, the affordability of thesoftware and the huge potential profits to be made from retail POSsystems in the United States make this type of financiallymotivated cybercrime attractive to a wide range of actors,” thereport from the FBI's cyber division read. “We believe POS malwarecrime will continue to grow over the near term despite lawenforcement and security firms’ actions to mitigate it.”

The FBI said that it had discovered roughly 20 incidents overthe past year where software designed to steal card numbers hadbeen introduced onto the POS terminals of U.S. retailers. It alsoindicated in the Jan. 17 report that programs designed toperpetrate these thefts have been seen on sale in undergroundcriminal forums for $6,000.

The report identified six different malware packages that hadbeen used in the 20 breaches or breach attempts and discussed four in detail.

BlackPOS is a malware package that infects computers runningWindows that are part of POS systems and have card readers attachedto them. According to the FBI report, once installed on a POSsystem, the malware identifies the running process associated withthe credit card reader and steals payment card track one and tracktwo data from its memory. One of BlackPOS’ weaknesses is not havingan offline data extraction method but instead, having to uploadcaptured information to a remote server via a file transferprotocol.

A malware package called Dexter appears to have been a testpackage that was run last October and November. This is a Windowsbased malware package that may have been the precursor to onecalled Vskimmer that is also aimed at Windows based systems,according to the report. Vskimmer also has a unique way of handlingthe task of getting the captured data back to the thieves.Researchers have determined that if a Vskimmer-infected machine isnot connected to the internet, the program will wait until a USBdrive with the volume name KARTOXA007 is inserted into thecomputer, and download stolen information to the USB drive,according to the FBI.

In the document's only bright spot, the FBI said the POS theftsoftware had not infected POS terminals on its own, but had alwaysbeen delivered subsequent to other breaches which were often madeusing well known and routine strategies. This suggested thattightening up on standard data security measures could play a keyrole in keeping the software off of POS systems.

“The POS malware is typically introduced into a system after thesystem has already been compromised. In other words, the POSmalware serves as the payload as a result of the initialintrusion,” the report said. “The attack can take various forms,such as phishing e-mails,compromised websites and other common infection vectors.”

On the other hand, the data being captured in these breaches isof sufficient value to thieves that it will likely promptpersistent efforts to steal it and an increasing amount ofresources devoted to that effort, the FBI said.

“The high dollar value gained from some of these compromises canencourage intruders to develop high sophistication methodologies,as well as incorporate mechanisms for the actors to remainundetected,” the report said.

The report's primary impact may be to spur the move to cardswith embedded chips in them and which use the EMV standard,according to Randy Vanderhoof, executive director of the SmartCard Alliance, an association created to develop and promotesmart card usage in the U.S.

“The report told retailers primarily but the whole paymentssystem as well that the problems with magnetic stripe payment cardsare here to stay and the whole payments system needs to finish themigration to EMV,” said Vanderhoof.

EMV is an open-standard set of specifications for smart cardpayments and acceptance devices. Cards with chips that conform toEMV contain embedded microprocessors that provide strongtransaction security features and other application capabilitiesnot possible with traditional magnetic stripe cards.

The smart card alliance points out that EMV cards store paymentdata in the card's chip where it cannot be easily compromised andis impervious to access by unauthorized parties. The microprocessorchip is used instead of the magnetic stripe during each EMV paymenttransaction and helps to prevent card skimming and card cloning,the most common ways magnetic stripe cards are compromised and usedfor fraudulent activity.

In addition, the chip provides the means to authenticate thecard as genuine and generates a code, which can be authenticatedoffline or online, that ensures the transaction is genuine.

Further, each transaction uses a unique code that cannot beduplicated. This means that data cannot be stolen from a cardtransaction and used to create other, fraudulent, transactions,according to the Smart Card Alliance.

Vanderhoof said he was uncertain if a scenario where breachesare ongoing would be enough to break the logjam between issuers andretailers about going forward with the cards.

“We are in the situation now where thieves are targeting ourpayment system because we are the only developed world system thatdoesn't use EMV cards,” Vanderhoof pointed out. “They are going tocontinue doing so until we begin using them.”

Vanderhoof said what might push the overall payments system intousing the EMV cards is the liability shift deadline of Oct. 1,2015, adding it's “right around the corner.”

The alliance considers the October liability shift a key datebecause, as of then, liability for fraudulent transactions willmove to the weakest link in the transaction. If a consumer uses amagnetic stripe in an EMV-capable POS terminal and the transactionturns out to be fraudulent, liability for that fraud loss will restwith the issuer of the original magnetic stripe card. However, if auser uses a magnetic stripe card for a fraudulent transaction on aterminal which cannot process EMV, the liability for the fraud willrest with the merchant.

“The liability shift is coming quickly,” Vanderhoof said. “Ihaven't heard of any of the card brands postponing it.”