Compromised POS systems have been the gateway to some of the largest and most damaging data breaches of recent. This month alone we’ve seen yet another data breach by POS malware as well as two new POS malware alerts: a warning from the FBI following Trustwave’s discovery of the RAM scraping Punkey malware as well as Trend Micro’s alert of their discovery of MalumPOS, another piece of RAM scraping malware that specifically targets Oracle MICROS POS systems.

Eataly Compromised by POS Malware, Customer Credit Card Data Stolen

The latest company to fall victim to a major POS-based data breach is Eataly, an upscale Italian food market chain based out of Italy with locations in cities across the globe. Eataly’s New York City store experienced a data breach stemming from a POS system that had been infected with malware. The compromise enabled cyber criminals to pilfer customer credit card data from the company’s 5th avenue location between January 16 and April 2 of this year, according to Eataly’s disclosure of the incident.

Data stolen could include customer names as well as credit card account numbers, expiration dates, and CVV security codes. Eataly reports that the malware has been contained and that customers can safely use payment cards at their NYC store again. The chain is offering a year of free fraud resolution and identity theft protection to any customers that used payment cards at the NYC store between January 16 and April 2. If you think you may have been affected, refer to Eataly’s breach FAQ document for guidance.

With the amount of data breaches happening today and the similarities the Eataly breach has with many others before it, this may seem like “just another breach” to many. However, one aspect of the incident has caught the attention of security experts as an indication that Eataly’s case may be more unique: the company doesn’t collect or store credit card data, so the malware used was able to intercept data in transit. This approach is far less common than POS malware that steals data at rest, such as on an endpoint or server, and has investigators probing deeper into the incident to learn more about the malware used.

New POS Malware Discovered: Punkey and MalumPOS

In addition to the Eataly data breach, POS malware has made headlines with the discovery of two new strains: Punkey and MalumPOS. Trustwave announced is discovery of the Punkey malware in mid-April following their involvement in a U.S. Secret Service investigation. According to Trustwave, Punkey appears to be a derivative of the NewPOSthings family of malware discovered by Arbor Networks in September 2014. Punkey is RAM scraping malware for Windows-based POS systems and is particularly daunting in its ability to encrypt data as it is stolen. The malware made headlines this past week when the FBI alerted businesses that Punkey had been used in a cyber attack on an unnamed restaurant chain. That investigation is still in progress, so it is still uncertain as to which company was targeted and any damage caused by the attack.

Trend Micro announced its discovery of MalumPOS last Friday, June 5. While the company did not disclose how exactly they found the malware or implicate MalumPOS in any cyber attacks, Trend Micro said the malware is currently operating in the wild. MalumPOS was created to compromise Oracle MICROS systems, point-of-sale systems popular in retail stores, hotels, and restaurants. Like Punkey, MalumPOS is RAM scraping malware. What sets MalumPOS apart from similar strains is its design – the malware was built to be reconfigurable, meaning that it can be easily customized to compromise other targets. This feature poses the threat of the MalumPOS being modified to target other popular POS systems such as Radiant or NCR Counterpoint, according to Trend Micro’s announcement.

Securing Point of Sale Systems from Malware Attacks

With POS malware attacks showing no sign of slowing, companies in industries such as retail, food service, hospitality, and others that rely heavily on POS systems must take steps to bolster the security of their systems in anticipation of malware attacks. The following are some tips companies should consider implementing to secure POS systems.

• Use end-to-end encryption for all POS data. Any data collected or processed by a POS system should be encrypted upon receipt and decrypted only when it has reached the payment processor.
• Implement application whitelisting for POS systems. Application whitelisting locks down which applications can run on a POS system, ensuring that applications that can introduce additional risk (such as email or web browsers) are blocked and preventing malware from running the applications needed in order to execute malicious processes.
• Keep POS software up to date. Patch management is a critical practice for keeping any system secure, as many software updates include critical patches for exploitable security vulnerabilities.
• Perform (or require) vulnerability testing for POS software. All software used by a company should be tested for exploitable vulnerabilities, and POS software is no exception. Perform preliminary vulnerability tests of POS software prior to deployment or require software providers to share the results of vulnerable tests conducted on their software.
• Monitor POS systems and all data activity. Detection is critical for responding to and containing a security incident. All POS and data activity should be monitored for indicators of compromise such as anomalous log-in patterns, data flows, network activity, and attempted access to sensitive data stores.
• Segment networks used by POS systems. Eataly’s network segmentation prevented a POS compromise at one store from compromising systems at the chain’s 26 other locations across the globe. While segmentation alone will not stop a breach or compromise, it can still be an effective measure for containment.
• Use secure passwords and two factor authentication. Access control is a critical component of POS security. Use unique and complex passwords for every device and consider implementing two factor authentication for additional protection against unauthorized access.
• Run antivirus/antimalware software. While AV won’t catch every piece of malware, it is still a valuable tool for detecting and removing common/known malware types. Antivirus/antimalware software should be used in conjunction with firewalls and intrusion detection systems to help block or detect as many malware attacks as possible.
• Don’t forget about physical security. Breaches in physical security can produce cyber security incidents. Train employees and security staff to be on the lookout for attempts at tampering with POS systems such as attempts to install card skimmers or access a POS device.