fbpx

Beware the Malware

Dan Calabrese//July 1, 2015//

Beware the Malware

Dan Calabrese //July 1, 2015//

Listen to this article

The retailer Sally Beauty recently faced a major challenge—both for its IT department and for its public relations staff—when a malware attack infected its point-of-sale (POS) system. Because Sally Beauty does not collect or save their customers’ PIN numbers, the retailer expressed confidence that none were compromised. But it nevertheless felt compelled to offer credit monitoring services to anyone who performed transactions during the two-month period during which the malware affected its POS system.

This is an increasingly serious problem for retailers. Cyber criminals are eager to get their hands on other people’s bank information and credit card data any way they can and a retailer’s POS system is a potential goldmine. They’re pretty shameless about it, too, in some cases openly selling stolen information via online forums.

How They Get You

So how do the perpetrators of malware attacks get access to a retailer’s POS system and what can be done about it? One method used is that the attacker literally installs hardware on the POS terminal, which will then collect customer financial data. The obvious challenge there, of course, is that it requires physical access to the terminal. That innocent-looking guy standing in line with a bag of dog food in one hand and something unidentified in the other? You just might want to pay close attention to exactly what’s in his other hand and never look away from your POS terminal.

But the more dangerous approach to launching a malware attack is via the Internet. It’s more feasible than you may think because a lot of POS systems are Windows-based and they’re connected to the company’s larger IT infrastructure. Orla Cox, writing for Symantec’s corporate blog, explains what happens next:

“Once in the network, they will use various hacking tools to gain access to the network segment hosting the POS systems,” Cox says. “After the POS malware is installed, attackers will take steps to make sure their activity goes unnoticed. These steps could include scrubbing log files or tampering with security software, which ensures that the attack can persist and gather as much data as possible.

Unfortunately, card data theft of this nature is likely to continue in the near term. Fortunately, stolen card data has a limited shelf life. Credit card companies are quick to spot anomalous spending patterns, as are observant card owners. This means that criminals need a steady supply of ‘fresh’ card numbers.”

Defending Your System
So what can a pet retailer do to protect its POS system from malware attacks and by extension, protect its customers’ financial data from theft?

New payment technology may help. The emergence of “chip and PIN” cards incorporates a computer chip into traditional credit and debit cards, thus seriously complicating the ability of hackers to mess with customer accounts. As smartphone apps grow as a widespread payment method, they will provide another check against existing hacker strategies.

Of course, you still don’t want that malware in your system, even if some or most of the customers are protected. Companies can help themselves by requiring multiple levels of authentication when information attempts to enter their systems.

For example, a popular method hackers use to infest a system with malware is to send a company’s accounts payable department an email with an attachment that claims to be an invoice. The attachment may be very cleverly presented to look like a real invoice—the sender might even impersonate a real vendor—and a diligent accounting clerk wants to make sure the company stays on top of payables. So the clerk clicks the attachment and before he or she even realizes what’s happening, a malware attack is underway. Once it’s in the POS system, it doesn’t take long for it to be compromised.

A vigorous anti-malware program with multiple levels of authentication can help to protect against an attack like this, simply by making the employee pause and check the legitimacy of the file and the sender before being able to quickly click and open the attachment.

That’s just one example of how such attacks are waged.

A small to mid-sized pet retailer might not have a full-time IT department. Even if you can’t afford to contract with one on an ongoing basis, it’s still a good investment to do a one-time (or occasional) engagement with an IT firm that can review potential vulnerabilities in your system.

Information technology represents a huge step forward in convenience and efficiency but it also represents a threat because of the opportunity it offers to those who know how to use it for nefarious purposes. That’s no reason to go back to paper ledgers and old-fashioned cash registers, though. It just means you have to be as savvy as the wolves. Don’t invest in the POS technology that makes it easier to run your business and then fail to go all the way by failing to invest in protection for it.