POS Malware Exploits Weakness in Gas Station Networks

December 20, 2019 Nimrod Stoler

Point-of-Sale Malware

Who would have thought that the riskiest part of your day would be gassing up your car?  Risky for your wallet, anyway. VISA recently reported that gas stations across North America are facing a spree of cyber attacks wherein attackers deploy point-of-sale (POS) malware on gas station networks with the goal of harvesting credit card information. Over the course of November and December, VISA investigated at least five such incidents.

So, why are gas stations in cyber attackers’ sights right now? It appears they have found a weak spot in pay-at-the-pump gas station transactions. The US is one of the last places in the world where magnetic strip credit cards are still accepted, which are much less secure than chip-and-PIN cards.

These cards use a PIN to link the card and the cardholder much like a debit card does. Without the PIN, even if cyber attackers can get their hands on a credit card number, they can’t use it. Furthermore, the chip-and-PIN card is much harder to copy than the magnetic strip card because it uses encryption to protect against malicious copying.

As of 2018, some 50% of general purpose credit card transactions in the US still used magnetic strip cards, leaving around 20 billion transactions annually in the US less secure. While many gas stations have installed chip-and-pin card readers inside the store, they haven’t updated the credit card readers on the pumps themselves – leaving them only able to utilize the insecure magnetic strip technology for each transaction – even if the customer is using a chip-and-pin card.

However, while the weaknesses exist at the pump, this goes beyond traditional skimming scams we’re familiar with.  The cyber attackers are actually deploying the malware onto a computer in the gas station back office to gather credit card information. Here is how it works.

The magnetic transaction starts at the pump when the card holder swipes the card. The information on the card is transferred from the pump to a back-office computer. This computer gathers transaction data from all the POS pump terminals in the gas station where that information is decoded or decrypted, stored in memory and, later, sent to the acquirer bank for authorization. If this computer has the malware in question, attackers are able to scan the computer and acquire any unencrypted transaction data – including credit card numbers.

It is true that transactions at the pump are regulated by the Payment Card Industry Data Security Standard (PCI DSS) which maintains that all magnetic credit card data must be encrypted on transfer and should not be stored and that credit card numbers must be encrypted if stored.

Unfortunately, this is not always the case, and data stored on the back office computer is frequently left unencrypted or only loosely encoded. If the credit card information on those computers comes from a magnetic strip card – which does not have its own encryption – than that information can be used by cyber attackers.

There are two ways to close this security loophole. Either install the more secure chip-and-pin credit card readers on the gas station pumps or implement better security on the back office computer. The first requires shutting down the pumps to overhaul the payment system. The second just requires installing software, so it’s the obvious choice – especially since starting in October 2020, responsibility for card draft fraud will move from the card issuer to the gas station.

It’s easy to overlook the security of a computer in a gas station, but since these computers contain sensitive information, it’s important that they have thorough security measures to protect them – even going beyond encryption.  Application control, for example, can prevent malware from running before it can do any damage and implementing the principle of least privilege would make it harder for an attacker who infiltrated a system to access critical information within that system.

CyberArk Endpoint Privilege Manager is currently capable of blocking part of the memory scan and will be able to secure against the entire memory scan in a future release.

In the end, whether the gas stations decide to install better cybersecurity or overhaul their pump payment system, it likely won’t happen immediately. In the meantime, it may be safer to pay for your gas inside the store.

Previous Article
Data Privacy Day: Data Protection Lessons from the 2010s
Data Privacy Day: Data Protection Lessons from the 2010s

Today is “Data Privacy Day” – and while it seems like there is a day for nearly everything we hold dear (he...

Next Article
Privilege Cloud & Alero Updates Bolster CyberArk SaaS
Privilege Cloud & Alero Updates Bolster CyberArk SaaS

Despite hitting staggering highs this year, the market for Software as a Service (SaaS) is forecasted to sk...