Should non-EMV transactions be phased out completely? An analysis of TinyPOS
For the last year Forcepoint X-Labs has been collecting samples of Point-of-Sale (POS) malware that stood out for their hand-crafted nature, were written in assembly code and were very small in size (2-7kB).
In this blog we shall examine the attributes of TinyPOS and explore why retail organisations are still faced with POS malware and thus what can be done to protect organisations, consumers and their personal data.
A full report of our analysis is available to download at the foot of this blog.
What makes POS terminals such an attractive target?
Put simply, POS malware is still effective at collecting large amounts of personal information. For example, in March 2019 Earl Enterprises issued a public-facing notification of a data breach affecting multiple restaurants in their portfolio including the Planet Hollywood and Buca di Beppo brands. They had discovered that POS malware had been siphoning personal information from their systems for approximately 10 months.
On 9 April 2019 Microsoft ended support for Windows Embedded POSReady2009 (a Windows XP-derived POS OS). As systems continue to use legacy software, and hardware, it becomes increasingly difficult to protect from opportunistic and determined adversaries.
We then have to factor in human fallibility. Consumers may still prefer to sign for their transaction, or even swipe their credit card, rather than convert to EMV Chip-and-PIN. Further, many regions have not yet benefited from the improved security afforded by wide-scale adoption of EMV to authenticate card transactions. While Swipe-and-Sign still exists merchants may not be adopting the more secure standards demanded of EMV. Data from EMVCo shows the United States still lags behind other regions in that only 53% of card-present transactions are EMV, compared with up to 97% in Europe.
As such we believe that POS malware looking for Track 1 and Track 2 credit card data will still continue for as long as wide-scale adoption of EMV remains a challenge.
TinyPOS – Point-of-Sale malware to collect swipe-and-sign data
During our study we collected 2000 unique samples within the Tiny ecosystem. We grouped these into “loaders”, “mappers”, “scrapers” and “cleaners”.
Loaders – an obfuscated executable with simplistic downloader functionality. The core functionality of a loader is to establish communication with a hard-coded set of Command-and-Control servers. This communication results in longer code snippets being downloaded into memory, concatenated and executed. A system process list is then generated confirming the presence of a POS system. Additional downloads then occur. Remember that the loaders are incredibly small in size (2-7kB).
Mappers – this component gathers information about the machine and environment upon which it was executed. Through this network reconnaissance activity we believe mappers helped the operators to gather extensive knowledge of different POS system layouts and deploy campaigns targeting only specific retailers.
Scrapers – these components work like any other POS memory scraper with the goal of collecting Track 1 and Track 2 credit card data.
Cleaners – a component that cleans up running processes, registry keys, tasks and files once the operation is finished.
The most probable initial vector would be a remote hack into the POS system to deliver the Loaders. Other options could include physical access (unlikely) or a rogue auto-update to deliver a compromised file to the POS operating system.
Protection Statement and Indicators of Compromise
Forcepoint customers are protected against TinyPOS at the following stages of attack:
Stage 5 (Payload) - protection from the deployed POS malware components.
Stage 6 (Command and Control) – protection from the communication to and from the hardcoded C&C servers.
Please read our full report for details relating to protection mechanisms and an extensive list of IOCs.
Read our full analysis report
The initial phase of this research was first presented at the Hacktivity conference in October 2018. A recording is available here:
While Swipe-and-Sign exists as an authentication option for card-present transactions, POS malware like TinyPOS will continue to be effective. We strongly recommend that retailers and banks aggressively pursue a move to EMV (at least Chip-and-Signature, preferably Chip-and-PIN).
It is recommended that an audit be performed on any system storing and transmitting personal data in relation to how that data is managed and stored. The goal should be to make it harder for credit card data to be extracted from the retailer’s systems. This includes while in transit.