Potential threat: Flokibot, malware for PoS devices
In addition to hundreds of thousands of computers across the globe being affected by Wannacry ransomware in the past few weeks, an area of concern for the financial services sector could be a potential threat from a malicious software (malware) called Flokibot that could affect the integrity of the large network of point-of-sale (PoS) terminals. The Indian Computer Emergency Response Team (CERT-In) had issued an alert about the malware back in February, and said that the trojan virus was capable of stealing the banking credentials of customers from PoS machines.
Following the government’s push to digital payments, and reduction in both transaction cost as well as acquisition price of PoS terminals, banks have added more than 10 lakh PoS machines in the five-month period between November 2016 and March 2017. The number of PoS machines at the end of March 2016 stood at 13.82 lakh and rose to 15.12 lakh at the end of October 2016.
However, the RBI data shows that in the next five months (during and post-demonetisation period), banks added 10.16 lakh PoS machines taking the aggregate number to 25.28 lakh.
Reportedly, the Flokibot malware has already affected the PoS infrastructure in Brazil, with some incidents also being spotted in the US, Paraguay, Australia, and Argentina. “The malware is believed to be the modified version of Zeus malware with enhanced capabilities of infecting Point of Sale (PoS) devices/terminals targeting banking/financial information,” CERT-In noted in its alert.
“The malware mainly targets the Windows operating systems. The malware uses several propagation mechanisms which include spear phishing emails containing malicious attachments pretending to be PoS/software updates, scanning and exploitation of vulnerabilities of remote administrative applications, exploitation of weak or default credentials, physical access to PoS machines for installing malware, compromising the machines providing remote support for PoS installations etc,” the central cyber-security agency said.
Apart from stealing credentials of customers, as per the alert, the malware could also steal various card information such as CVV data from PoS systems. “The malware has the capability of exfiltrating payment cards data from the memory regions of several windows processes,” CERT-In said.
It has prescribed countermeasures to prevent a potential attack on the PoS infrastructure, suggesting that all PoS computers and PoS application software must be kept thoroughly updated, and the systems involved with PoS activities should be restricted to that. It also suggested that organisations and merchants providing PoS services review all system logs for any strange or unexplained activity, and anti-malware engines must be installed and kept up-to-date to shield the systems from such attacks.
It may be noteworthy that in 2016 a malware attack affecting ATM machines of Hitachi during three months of May, June and July, resulted in around 3.2 lakh debit cards being compromised in the country. These affected ATMs were deployed by various white label ATM companies and Yes Bank. On Monday, the RBI asked all the banks to update the software deployed on their ATMs to prevent a malware attack. Furthermore, experts have also recommended that to prevent any cyber-attacks, key financial and infrastructure systems must be regularly updated.