The payments space is one of the most vibrant areas of financial services at the moment, with consumers craving faster, simpler ways to make payments – especially for those regular, low-value transactions that punctuate our daily comings-and-goings.
Banks, FinTechs, payments firms, credit card issuers and others are jostling for positioning in this crowded landscape. From contactless NFC, to interesting innovations with QR codes, wearables, digital wallets, cryptocurrencies and social media payments, it will certainly be interesting to see how the payments landscape evolves.
But within all the excitement, and the confusion, emerges opportunities for cyber-criminals to target new weaknesses at the point-of-sale (POS).
Arbor Networks has been tracking the emerging threat known as Floki Bot since late last year. Floki Bot is a derivative of the infamous Zeus trojan that rose to notoriety in 2016 by compromising 75,000 websites owned by the likes of ABC, Bank of America and Oracle.
Floki Bot targets POS systems with aggressive spear phishing campaigns accompanied by a RIG exploit kit, aiming to scrape credit and debit card details flowing through these end-points. It once again exposes the fragility of POS systems, as a single breach can unlock access to thousands of card details.
“Retailers need a comprehensive strategy to ensure security at the point-of-sale,” notes Bryan Hamman, territory manager for sub-Saharan Africa at Arbor Networks, the world’s leading provider of DDoS protection in the enterprise, carrier and mobile market segments, according to Infonetics Research.
“This includes data loss prevention and encryption to prevent the exfiltration of critical card data, allowing only authorised applications to run within your POS ecosystem, and ensuring that your POS infrastructure is upgraded to the latest chip-and-PIN standards,” adds Hamman.
He explains that POS malware is generally only effective when applied to systems that lack the point-to-point encryption of data, from the point at which the card is swiped; to the point the acquiring bank decrypts it.
Well-orchestrated attacks on retailers can be devastating. US-based retailer, Target was forced to shell out $10 million to customers, after many of its POS systems were injected with malware (and the resultant reputation damage and loss of trust may well have cost far more than this direct cost).
“As we move towards contactless cards, NFC-enabled wallets on cell phones or wristbands, and other payment innovations, the threat surface becomes fractured into multiple pieces,” advises Hamman. “New techniques, such as packet sniffing over local-range networks, are adding new layers to the traditional problem of POS RAM-attacks”.
By integrating solutions such as Arbor Networks Spectrum into the POS ecosystem, retailers are unburdened of the pressure to stay on top of emerging payments threats. They’re able to better insulate their customers from any security compromises on their side, such as malware on a smartphone that is using an Apple Pay contactless wallet.
Spectrum continually scans the emerging threat landscape, moving with the times, and detecting and eliminating advanced threats in real-time.
“As sensitive data passes between the two parties, the payment touch-point between consumers and retailers will always be a hot area for cyber-criminals,” he adds. “Floki Bot will certainly not be the last major threat we see in this space.”
“The task for retailers is to create increased levels of convenience – including things like self-checkout, multiple payment options, integration into loyalty schemes, automatic coupon discounts – while preserving the sanctity of the transactions.”