'The server address uses the pseudo-TLD “.onion” that is not resolvable outside of a Tor network'
Until ICANN sells it to the highest bidder.
Point-of-sale malware dubbed ChewBacca has hit dozens of small retailers in 11 countries as far apart as the US, Russia, Canada and Australia. Researchers at RSA Security have put the ChewBacca Trojan under microscope revealing much more information about a strain of malware targeted at retailers that, whilst not new for …
A good question to ask the owners of the PoS machines is
"Why the fuck are your PoS machines allowed to communicate with the outside world - and TOR! FFS get a clue."
or words to that effect.
I can appreciate that it can be hard to stop this shit getting onto your machines running XPsp1 but you can at least stop the buggers phoning home with all the goodies.
Sir, how the fuck do you expect a PoS machine to work if it can't talk to the outside world?
Go OLD SCHOOL, and use only the ones that dial a telephone number to complete a transaction.
The majority of those types DO NOT respond to an incoming call on the connected line; thus, the ONLY TIME they are exposed to the outside world is during a transaction, and at the end of the day when the day's totals are sent.
The biggest problem with most "modern" POS systems is that they often use a POS operating system (aka WindblowZE), which we all know is easily FUCKED.
Why can it connect to any IP it wants to, where is the firewall that says it can only connect to one single IP address?
Surely this is the first thing that should be done with these machines. It has no reason to need any IP other than the one of the bank it talks to.
Kind of how any coupling should be set up!
Why can it connect to any IP? Because in small retailers (as this particular attack appears to target) the POS is usually connected to a commodity PC running Windows with a software stack for the actual card reader. The PC itself may have other software installed such as links with inventory management software.
In short, it's a basic, commodity PC without any specific security.
I'm not saying it's a good situation, but in contracting work for a friend's company, I saw retail staff browsing the Internet on POS PCs. This malware appears to be targeted at these types of machines.
I'm not blaming the shops here - this is something that is not their area of expertise.
The vendors for the POS (how appropriate that the acronym works both ways...) software should ensure that their systems have at least basic security. Actually, they should ensure they are bloody secure!
Using the excuse that it is a bog standard PC is no excuse.
dial-up won't necessarily solve anything. At least here in the US, many home and business users have moved from PSTN to IP Telephony. And even those who haven't still aren't fully protected from "the outside world." Many of the larger carriers have at least some of their traffic routed via cloudy bits so, even if you shun IPT you may still be at least minimally exposed to it.
Yes, most large (i.e. well staffed/trained) organizations have a measure of control over this, but your average small shop owner doesn't have that kind of expertise or access.
The PIN isn't protected and it may be irrelevant.
1) The reader can be swapped.
2) It only asks Card if PIN is OK, so a fake card says "OK" to ANY PIN, or PIN of your choice.
3) I've only ever been asked for PIN in Retail (see point (2)) never online.
Ok, we've been here before, but:
When you say "The Reader" do you mean the PED? if you do, it may be directly swapped, maybe with other hardware in a replica box, but it's not going to be able to talk to the POS driver layer.
You correctly state that the PIN is stored on the card, and that the card usually just says "yes" or "no", however this is done by means of an encrypted communication which has to be signed with the correct keys. How do you propose a fake card would be able to do this?
You wouldn't have been asked for a PIN online, that's not the job of chip and PIN. You will, however not be able to make a chip and PIN card from the information obtained online because - even if you could create the encryption layer in the chip - the account number used by the chip and PIN part of the card is different to that which is stamped across it.