As the holiday shopping season kicks off, cyber threat intelligence experts have announced they have discovered the most sophisticated point-of-sale malware to date. It has already impacted multiple national retailers and millions of credit cards. Cyber threat intelligence company iSight Partners Inc. has been tracking the malware, called ModPOS, short for “modular point-of-sale system,” since it discovered early signs of its framework in 2012, said Stephen Ward, a senior director at iSight Partners.
Often, shoppers associate risk with shopping online, said Herbert Lin, a cyber policy expert at Stanford University; ModPOS is significant because it impacts those paying in stores at the register. And although other forms of malware have impacted “point-of-sale,” or retail, locations before, ModPOS is the most advanced.
“You could almost call this an evolution in the way cyber crime is being done at the point of sale,” said Jake Williams, an information security consultant.
The system is comparable to a Swiss Army knife because it is able to tap into shoppers’ information in many different ways, from determining what type of software a cashier is using to figuring out consumers’ usernames and passwords to tracking the keystrokes cashiers make during check-out, Ward says. Later, those using the malware can use that credit-card information in transactions for which a physical credit card isn’t required.
To boot, the malware is particularly difficult to detect, said Maria Noboa, a senior technical analyst at iSight Partners. “It gives anyone full control of your system, and you have no idea they’re on there,” Noboa said.
There are several measures shoppers should take to protect themselves. For this particular threat, mobile-payment methods that use “tokenization” including Apple Pay AAPL, -0.19% offer more protection because credit and debit card numbers are not shared as part of an in-store transaction. Shoppers should also be careful when making purchases on public Wi-Fi networks because many are not protected with encryption, said Pam Codispoti, the president of Chase Consumer Branded Cards.
EMV, or “chip” cards, were designed to prevent credit-card cloning, and therefore also add extra protection against many types of theft. However, they will not protect against ModPOS if at any point in the transaction the credit-card information becomes “unencrypted,” Lin said. And consumers won’t necessarily know in advance if this will happen; it can happen when retailers incorrectly set up their credit-card systems, or even when manufacturers make the equipment for doing so.
Avoiding using a credit card when possible is also a good idea, Ward said, even if it’s not always convenient or practical. “From a security perspective, cash is king.” “If you can’t, use a good old check,” said Avivah Litan, a security analyst at Gartner Inc., a Stamford, Conn.-based market research and advisory firm.
However, there are obvious risks involved with carrying too much cash, including the risk that if lost or stolen, cash obviously won’t be replaced by a credit-card company. To get around this, shoppers can ask their banks for a one-time-use credit card number or a pre-paid credit card, said Joseph Steinberg, an Internet security expert. Many consumers were already planning to do most of their holiday shopping in cash; a recent survey from personal finance site Bankrate showed that 39% of Americans plan to make most of their holiday purchases in cash, followed by debit cards (31%), credit cards (22%) and checks (3%).
Despite the threat, it’s unlikely many shoppers will take note and change their shopping habits, iSight’s Ward said. “The American public has been somewhat fatigued by breach disclosure over the course of the last few years,” he said. “We see the latest headline, but we don’t look at things in totality.” One theory as to why: Ultimately, the responsibility for protecting consumers falls on retailers, which could ultimately push up their costs and prices, Litan said. But even when consumers get their money back, they’ll have to deal with the “hassle factor” of replacing their cards.
For retailers, this process doesn’t come cheap. Target disclosed in a recent financial filing that it has incurred $252 million of data breach-related expenses. The direct cost of data breach per compromised record increased from $201 in 2014 to $217 in 2015, according to a May 2015 study from the Traverse City, Mich.-based research center Ponemon Institute, sponsored by IBM. Direct costs refer to what companies spend to minimize the consequences of a data breach and to assist victims of such breaches; they include engaging forensic experts to help investigate the data breach, hiring a law firm and offering victims identity protection services.