Over the past decade, Point-of-Sale (PoS) devices have massively grown in popularity. As many more people choose to use their cards to pay for things, often choosing the small pieces of plastic over wallets full of notes and loose change, businesses have adapted, installing point of sale terminals, card readers and the like, to accommodate them. Plus, with the rise of NFC (Near Field Communication) technology in both cards and in smartphones (such as Apple Pay and Android Pay), people have even more reasons to choose payment tech over tradition.

However, although point of sale terminals and devices certainly offer a great deal of benefits to the many businesses that use them (for example, it can lead to much quicker sales, which is helpful for particularly busy retailers) it also offers up a considerable amount of risks.

With the use of PoS devices on the rise, attempts to manipulate these machines for malicious and exploitative means have also risen, with over 300 PoS malware detections coming to light in the first half of 2015 alone. And no business - big or small- is immune from these threats.


Target is one of the best known American brands, famous for selling miscellaneous goods that range from clothing to CDs to groceries. But in 2013 the retailer hit the headlines for an entirely different reason when it emerged that the company had been affected by a hack that left over 40 million Target customers at risk of credit card fraud, while 70 million others had personal information (such as email addresses) stolen during the breach.

Target revealed that the criminals got their hands on this data by installing malware onto their point of sale network, a network which included all devices at their United States stores. Not only was the company faced with lower sales following the hack, but it had to lay people off a result. Also, Target spent $100 million on updating its technology while the company also reached a deal with VISA to pay $67 million in costs to VISA card issuers.

Home Depot

In 2014, Home Depot, the home improvement retailer, was also in the news for a similar breach. In fact, analysts suggested that the attack on Home Depot's payment systems was conducted using the same 'BlackPoS' malware that was used in the Target attack in 2013. Furthermore, the data (which was believed to be from as many as 60 million cards and it also affected over 50 million email addresses) was even being sold on the same site used to move the data from the Target hack.

A SEC filing from Home Depot not long after the attack came public showed that the retailer had to spend $43 million for forensic teams, call centre operators (to handle customer complaints), and, of course, for their legal team. Customer confidence took a knock too, but putting a price on that isn't so easy.


In June of this year, Trend Micro was the first to discover the MalumPoS malware. The publication explained that MalumPoS is "a new attack tool that threat actors can reconfigure to breach any PoS system they wish to target" and that it was specifically being used on point of sale systems that run the Oracle MICROS platform.

The majority of Oracle MICROS users are in the United States including industries such as: retail, food and drink, and hospitality. Oracle has stated its program is used in 330,000 customer sites around the world and so MalumPoS, which is designed to steal stored card data (such as the cardholder's name and their account number) from the magnetic strip on their card each time it is swiped, is a serious threat.

Plus, as MalumPoS presents itself as the "NVIDIA Display Driv3r" one it's installed, the PoS device's owner may see the brand name and be fooled into thinking that it is legitimate software that does not need to be worried about.

One-Man Hacking Team in Brazil

While those Home Depot, Target and MalumPoS instances all had big impacts (or potentially, in MalumPoS case), once smaller scale incident also presented itself south of the border. In Brazil, a one-man hacking team created something called FighterPoS which is believed to have infiltrated just 100 establishments but has affected at least 22,000 people.

In addition to general (and expected) features such as a RAM scraping feature and the ability to get the CVV code of a card, it also includes a keylogger which would log all keystrokes on the infected terminal, which is an incredibly useful ability for hackers.

While it's troubling enough that one person is able to infiltrate so many machines, it's even more troubling that FighterPoS was only being sold for just over $5000 making it relatively easy and relatively cheap for malicious users to launch attacks on PoS devices.

Malware are not the only danger for PoS Security

Learn more about how you can keep your devices protected - together with your Customers Data - by applying the instructions from PCI DSS requirement 9.9 and keep your organization PCI compliant at all time.

Igor Mancini

Written by Igor Mancini

Marketing Director at Advantio. The articles published in the Advantio Blog have the goal of supporting our mission: making IT Security simple for everyone.

My intention is to discuss IT Security related topics with the eyes of a non technical person, speaking a simple language and trying to show to the readers the benefit of IT Security best practices.