In the McAfee Labs Threats Report: Fourth Quarter 2013, one of our primary topics was “the cybercrime industry and point-of-sale (POS) attacks.” During our monthly #SecChat, held last Tuesday, we decided to take this hot button issue and run with it — discussing the role that off-the-shelf POS malware, online black markets, virtual currencies, and other components of the cybercriminal ecosystem have had in fueling such attacks. We also discussed whether chip and PIN smart cards will reduce the problem, and the best practices used to protect against POS attacks.
Members of the security community who joined our March #SecChat showed both passion and expertise, making for quite a lively discussion. Below are some of the highlights from our chat.
How have POS attacks evolved?
When asked how POS attacks have evolved over the past decade, the answers varied. @Munin said that the use of general-purpose computers for POS creates a wider attack surface. @Msarrel agreed — stating that allowing employees to browse the web on POS machines is a huge risk for both companies and their customer data. In response to @Msarrel, @tcrawford discussed the added danger of employees plugging external devices (such as mobile phones) into POS machines:
@RSimonsm introduced another aspect of the evolution of POS attacks — stating that the cybercrime industry provides off-the-shelf tools to make these attacks easier than ever before.
Speaking of off-the-shelf…
We asked participants to discuss the ways in which organizations could protect against off-the-shelf threats responsible for some of the more notable recent POS attacks. Jim Walter, manager of the McAfee Threat Intelligence Service (MTIS) in the Office of the CTO, noted that proper segmentation, adherence to usage policies, and controls are needed to protect against these threats. Additionally, app whitelisting and situational awareness can go quite a long way. Finally, Jim had the following to say:
Will EMV (AKA “chip and PIN”) smart cards help eliminate fraud?
In perhaps the most lively exchange of #SecChat, attendees debated the merits of EMV cards, used in Canada as well as countries in Europe, Latin America, and Asia. Would these smart cards reduce the rate of POS attacks and fraud? @Christiaan008 and @GetZeroFOX agreed that the adoption of EMV cards would help—but it’s not the only measure that needs to be taken.
So, if EMV smart cards aren’t the answer, what is?
When asked what businesses should do now to help protect consumers against POS attacks, we were overwhelmed with suggestions from #SecChat participants. @Rsimonsm said that tight POS network segmentation, POS compliance, and enough security professionals to monitor and respond to alarms would help. @Gmillard said that implementing proper preventative controls, taking note of defective controls, and measuring security effectiveness was part of the answer. A handful of our other favorite responses are below:
Thanks to all who joined in this productive and lively discussion. To see the full #SecChat conversation check it out on Twitter. We’re looking forward to the April chat!