There is a progressive, rarely seen type of malware threatening the data security of small business point-of-sale (POS) systems across the US. Security analysts at Flashpoint note this new breed of malware, dubbed “DMSniff,” has the ability to dynamically create lists of internet domain names where stolen credit card data can be uploaded from the target in-scope POS system. This enables fraudsters to continue stealing card data even if one or more of their domains are shut down by law enforcement or hosting providers.
According to Flashpoint researchers, “point-of-sale malware continues to plague industries such as food services and hospitality where older and unsupported systems remain prevalent.” Criminals intentionally target these in-scope, more vulnerable legacy systems, found primarily in card-present environments. Data from the 2018 Verizon Data Breach Investigations Report suggests that behind database servers, POS terminals are the most common assets compromised in data breaches.
As fraudsters continue to innovate and find more sophisticated ways to commit their crimes, it is imperative that business owners assess and continue to reassess their overall security posture. While “DMSniff” and likely other types of malware have developed new ways to stay connected, their means of attack on the point-of-sale systems remain largely the same. Primarily, this type of malware “scrapes” or “sniffs” the volatile memory of a POS workstation, looking for any data that resembles a credit card number, specifically the contents of a card’s magnetic stripe.
While the implementation of EMV and chip cards was an important security measure, it is not enough to stop the problem. EMV is critical in the reduction of card-present counterfeit fraud, but by itself, EMV does not prevent malware from obtaining important card data (such as the card number) even if the card was not swiped.
The best way to thwart criminals looking for credit card data is to remove any data. This can be achieved through the use of two complementary payment security technologies: encryption and tokenization. Encryption transforms sensitive data into gibberish, while tokenization replaces that data with a non-sensitive representation. Encryption protects data in motion as it traverses from a secure PIN pad or card reader, through a POS system, and out to the public Internet. Tokenization is ideal for protecting data at rest in the system, such as cards on file for repeat customers or subscription payments.
Developers of such POS systems, “Independent Software Vendors” or ISVs, are increasingly expected to offer support for EMV chip cards, in addition to providing secure card acceptance solutions like encryption and tokenization. Unfortunately, developing support for EMV directly within a POS application can be very costly and time-consuming.
To address these issues for our clients and partners, Beyond offers “out-of-scope” solutions which combine EMV, encryption, and tokenization in a single, simple, and affordable integration. Security is in our DNA at Beyond—so much so that we promise to make every effort to protect and secure your business, thanks to our Beyond Promises. If you want to make sure no one is sniffing your data, get Beyond today.