Over the past year, researchers at iSight Partners, a cybersecurity firm in Dallas, have been studying and tracking a new form of malware called ModPOS that attacks point of sales machines at the kernel. The kernel is the part of the computer system that handles input and output requests for data. The malware is very hard to detect and encrypts the consumer information it steals and transmits, according to Stephen Ward, a senior director at iSight.
The malware is so sophisticated it can hide itself deep within a computer network and go undetected by antivirus software. Ward says that it took his team a month to reverse engineer the program once they discovered it—a long time when you compare it to the 30 minutes it took the same team to reverse engineer another recent POS threat, Cherry Picker.
The company has been privately advising and prepping retailers about the threat over the past few months and only went public with a report about the malware this past October.
This malware may have already been used in breaches against big-brand retailed in 2013 and 2014 says Ward, but he didn't specify which ones. You'll remember that during that time-frame retailers like Home Depot, Staples, and Target reported break-ins.
The report comes at an especially stressful time. We're heading into the biggest shopping days of the year—estimates say retailers will cash in on about $360 billion dollars in sales—and merchants are still in the process of switching to terminals that accept EMV cards.
And the news worsens. Because of the nature of the malware, the chip-and-pin cards do nothing to stop the POS malware, according to security expert and senior researcher at Aite Group, Julie Conroy.
It seems like this security threat may be unavoidable so what should we do?
- Choose paper over plastic. The easiest and most secure thing you can do to protect yourself during this holiday shopping season is to use cash during transactions. We know that it's inconvenient to head out to the bank and pull cash before a long day of shopping, but paying in cash will ensure that none of your information is swiped via the register. Even if there were no serious concerns over this new malware, a retailer you visit this holiday season could experience a data breach that would compromise your information. Cash is best in this instance.
- Keep your receipt. Almost all transactions end with the question, "would you like a copy of your receipt?" Say yes! This will allow you to not only keep better track of the money you spent, but will also help you identify any purchases on your credit card you didn't actually make should you experience credit fraud.
- Check out your bank statements. Stay vigilant during the shopping season and for a few months afterwards. By looking through your bank statements every month you will be able to detect whether anyone is making purchases with your compromised card and quickly take action to have the bank or the retailer refund you for any fraudulent charges.
- Monitor your credit. The ModPOS malware can reportedly also probe retailer networks for information other than credit card numbers like customer credentials that may include logins and passwords, loyalty program information and any other customer information the program deems useful for fraud. So you'll really want a credit monitoring service on your side that can help you to monitor your credit files and personal information to guard against fraud and identity theft.