Point Of Sale Malware Targets Credit And Debit Cards


With all the investment going into payment technology, the way in which your debit card is used is not only changing form, but supposedly more secure. Chip, pin, or contactless payments is all very well, but a new point of sale malware program has taken to attacking the payment terminals themselves to steal all your card details.

The malware program isn’t the first to try to target point of sale systems, however this new version is believed to be able to attack any terminal. Dubbed PoSeidon after the point of sale (PoS) terminals it attacks, it was uncovered by researchers at high profile Cisco’s Security Solutions (CSS) which is part of a collective that have been calling for improvements to PoS systems for a number of months.

The malicious programme uses a technique called memory scraping – which scans the RAM of any infected machine for data resembling credit card numbers. Whilst the transaction is being processed, the data is kept in the RAM in plain text before being encrypted and stored which means that intercepting the information, without anyone knowing, is actually very easy for those in the know.

“The malware only looks for number sequences that start with: 6, 5, 4 with a length of 16 digits (Discover, Visa, Mastercard) and 3 with a length of 15 digits (AMEX),” – Cisco’s Security Solutions (CSS).

Unfortunately many PoS systems do not implement end to end encryption to protect the card details as soon as they are presented. Similar attacks have been intercepted between the card reader and terminal with simple hardware, highlighting the need for encryption – however adoption has been slow and costly.


contactless zwype featuredPast findings have shown that installation of malware is usually done through brute force attacks to the PoS terminal. Such systems are usually set up for remote diagnostics and technical support through software such as LogMeIn. CSS has uncovered a keylogger along with the loader and memory scraper of Poseidon. They believe this is designed to steal remote access details for any infected terminals, details of which can often be used for any terminal at the retailer.

The creators of PoSeidon have created an intelligent and creative system to steal massive amounts of data. It has built-in defences against reverse engineering along with the ability to verify the card number authenticity and then upload the information to several different servers along with any information captured by the keylogger – removing any need for the attacker to log back into the terminal or physically download the information.

The way the PoSeidon system operates and has been set up, means the attackers or the servers used in the attacks may never be uncovered. It is impossible to say how many machines are already transmitting data and it’s almost impossible to stop.  The CSS team added that “As long as PoS attacks continue to provide returns, attackers will continue to invest in innovation and development of new malware families”.

Expenditure and security will need to switch to fraudulent transaction protection rather than protecting of the physical card details. Think about that next time you keep your card safe during a transaction and cover your pin number – it may not make any difference.

  Source: Cisco Blog
To Top