Since I saw in a video how two security researchers loaded a minigame into a POS (point of sale) terminal when inserting a card, every time I see one of these gadgets I wonder if my card is not being cloned as it can happen in the ATMs.
The Cisco security team recently released some details of a new malware that seeks to steal information from payment terminals. They called him POSeidon:
Although the copy that was found was new, this type of attack against payment terminals began to be detected in 2008, as can be seen in this VISA security notice, and since then they have been increasing significantly.
Most work in the same way, they are RAM scrapers, a class of Trojans that scan the RAM of the infected computer to obtain the information of the cards while the payments are processed. The data is then sent to attackers that can be found anywhere in the world. They are very specific and advanced Trojans but within the reach of any cyber criminal who can buy them for a few hundred dollars.
Most payment terminals like the ones we see in supermarkets run on Windows and often on outdated versions or that no longer receive security patches such as XP, making them vulnerable to various types of attacks. Criminals generally do not have physical access to these machines, but they can reach them by compromising the network in which they are located or some central server that controls them as happened last year or with the Target chain of stores that ended up with all their terminals compromised with a variant of BlackPOS.
Other well known POS malwares are Soraya, Alina and JackPOS. The latter can be seen in action in the following video recorded by the XyliBox blog researcher, what it does is put the malware to work on a local computer and when the card is passed through a reader it shows how JackPOS captures the data:
As end users there is not much to do to avoid these attacks, just be aware of account statements to control movements and if possible use debit or prepaid cards to have a limit of money that can be stolen if it is a victim.
It is also advisable to avoid classic PINs such as 1234 and if possible, configure email alerts for each purchase made.
This article from us-cert.gov, where several security tips for POS systems are discussed, may be useful for administrators or computer scientists.