Incident Of The Week: Russell Stover's Chocolates Latest To Disclose Retail Point-Of-Sale Machine Breach
Payment Card Machine Malware Remains Effective At Collecting Large Volumes Of Customer Data
Another week and another data breach from retail point-of-sale (POS) transaction machines. This time, retail store customers of Russell Stover’s Chocolates who used a payment card between February 9 and August 7 of this year could have had their payment card information captured by machines that were infected by malware. The company disclosed the breach this week after notifying authorities and launching its own investigation into the threat.
- Organization: Russell Stover Chocolates
- Timeframe of Breach: February 9 – August 7, 2019
- Type of Attack: Retail POS Machine Malware
- Number of Records Affected: Not disclosed
- Information Involved: Payment card data including some consumers’ first and last names, payment card numbers and expiration dates
- Breach Disclosure Date: August 30, 2019
Upon learning of the incident, Russell Stover initiated an investigation, engaged independent cybersecurity experts, and took measures to eradicate and contain the malware. The company says that it has no evidence that any of the payment card information has been inappropriately used.
The company also took steps to contain and remediate the incident, including removing the malware from its systems. Further steps are also being taken to strengthen its security measures, including through enhanced employee training and improved technical measures.
Despite Modern Commercial Solutions, POS Malware Incidents Growing
Payment card transaction terminals remain a popular target for attackers. The convenience of swiping a payment at point-of-sale helps facilitate an increased volume of transactions, which in turn makes POS machines an easy way to collect data on a large number of people.
Financial institutions have transitioned to the EMV Chip + PIN process for payment cards in the past few years, which is a form of Two-Factor Authentication (2FA). However, adoption by consumers, retailers and transaction processing companies is not mandatory and many have stayed with legacy swipe-and-sign solutions.
The percentage of card-present transactions that were EMV in the United States over full-year 2018 was only 53.5%, according to data collected from payment card companies by EMVco. Every other part of the world (except Asia) exceeded 90% EMV use during the same period. Needless to say, the rate of POS data attacks should not be a surprise given the transaction behavior in the United States.
Security researchers Forcepoint X-Labs studied 2,000 examples of POS malware written in assembly code and very small in size (2-7kB). Dubbed “TinyPOS”, the samples were grouped into four buckets: “loaders”, “mappers”, “scrapers” and “cleaners”. The researchers concluded that the most probable initial attack vector would be a remote hack into the POS system to deliver the Loaders. Other options could include physical access (deemed unlikely) or a rogue auto-update to deliver a compromised file to the POS operating system.
Any system storing and transmitting personal data should undergo an audit in relation to how that data is managed and stored. Enough technology and process exists that POS malware attacks can be a thing of the past.