This document discusses point-of-sale (POS) malware and credit card transaction security. It begins by explaining how POS terminals and the credit card transaction ecosystem work. It then introduces POS malware, noting how early breaches captured card data during transmission but modern malware extracts it from RAM. The document outlines the evolution of POS malware from 2011-2015 and common infection methods. It provides a case study on the BlackPOS malware and discusses new technologies like EMV chips, NFC payments, and their impacts on security.

1. POS Malware: Is your
Credit/Debit Card
Transaction Secure?
Amit Malik
Member @ Cysinfo
Researcher @ Netskope

2. Agenda
• POS Terminal
• Understanding Credit Card transaction ecosystem
• POS malware - Introduction
• POS Malware Evolution
• POS Infection Vectors
• Case study
• BlackPOS
• New Technologies (EMV/NFC/RFAID)

3. POS Terminal
• Wikipedia: https://en.wikipedia.org/wiki/
Point_of_sale
• POS terminals are combination of software and
hardware that allows the retail locations to
accept credit card.

4. Credit Card Transaction
Ecosystem
http://www.pathwaypayments.com/processing-diagram.html

5. Inside Credit Card
• Magnetic Strip of the card has three data tracks
-1,2 and 3. Only Track -1, 2 are used by cards.
• Track 1 was created by IATA (International Airport
Transport Association) and contains 79
alphanumeric characters.
• Track 2 was created by American Bankers
Association and contains 40 numeric characters.
• https://en.wikipedia.org/wiki/Magnetic_stripe_card

6. Inside Credit Card Cont.
• Checksum is calculated using Luhn algorithm (https://en.wikipedia.org/wiki/Luhn_algorithm).
• https://en.wikipedia.org/wiki/Payment_card_number

7. POS Malware: Introduction
• Early data breaches used network sniffing to
capture the card data while in transit. But this
became obsolete because of end to end
encryption on the wire.
• POS terminals read the card data. The card data
can be found in clear text for a very small amount
of time in the POS RAM.
• POS malware scrap the RAM to collect the card
data.

8. POS Malware Data Breaches
2012
2013
2014
2015
2016
subway
Target
&
The Home Depot
Schnucks
NEXTEP
&
Hilton
MICROS

9. POS Malware Data Breaches
In Numbers
0
150
300
450
600
2013 2014 2015
*Data from Verizon Reports

10. POS Malware Incidents per
Industry
0255075
100
Accom
odation
Entertainm
ent
H
ealthcare
Retail
O
therServices
2013 2014 2015
*Data from Verizon Reports
%

11. POS malware Evolution
2011
2012
2013
2014
2015
Rdasrv VmSkimmer,
Chewbacca
BlackPOS,
Alina,
Dexter
Decebal,
JackPOS,
Soraya,
Backoff,
BrutPOS,
BlackPOS v2
POSeidon,
LogPOS,
pwnPOS,
FighterPOS

12. POS Infection Methods
• Stolen Credentials
• Social engineering
• Phishing Campaign
• Insiders
• Software vulnerability

13. Case Study - BlackPOS
• Demo (Conceptual) - Memory scrapping using
Pymal
• Sample Analysis - BlackPOS.

14. New Technologies
• EMV - ‘Chip and PIN’, The chip on the card now
stores the encrypted card data. It makes the
counterfeit difficult but not immune to POS
malware.
• New methods like Apple pay or contactless
payment methods are not vulnerable to this
threat but they open the new possibilities and
change in threat landscape.

15. Thank You!