Why banks should give point-of-sale technicians a second look

A Brazilian fraud group that targets U.S. financial institutions but went inactive last year has returned with new malware infecting point of sale terminals. The malware circumvents both PIN-based protections and the modern fraud protections of chip-based cards.

In a blog, the security firm Kaspersky said members of the group, which is called Prilex, typically deliver their malware through social engineering, such as by pretending to be a technician who insists the company needs to update its point-of-sale software. The fake technician may visit the target in person or, for less traceability, ask the victim to install remote desktop software they can use to install the malware.

Whereas earlier Prilex attacks exploited poor implementations of the EMV protocol that protects transactions made using chip-based cards, the newer attacks use lower-level code, fraudulent point-of-sale devices, and other methods that circumvent the strengths of the protocol.

According to cybersecurity journalist Brian Krebs, a small financial institution in New England suffered $40,000 in losses from a 2014 Prilex attack on EMV transactions after it saw $120,000 in fraudulent charges. All of the fraudulent transactions were debit charges with chip cards, made without a PIN. The group stole €‎1.5 million (about $1.65 million) from a German bank in 2019 using a similar exploit.

The newer malware enables Prilex and its affiliates to generate fraudulent transactions even when a customer uses a PIN and a chip card.

The EMV protocol relies on having chip-based cards generate digital keys for certain transactions, which the issuer then uses to approve transactions. These keys are unique per transaction and can change depending on the details of the transaction.

When a patron inserts their EMV card into a point of sale device that has been infected with Prilex malware, the code intercepts the person's PIN if they key it in, has the card generate a digital key for the legitimate transaction, then has the card generate keys for at least one fraudulent transaction.

The infected point of sale processes the legitimate transaction, then dispatches the keys for the fraudulent transaction to the Prilex network. The threat actor then uses fraudulent point of sale devices registered in the name of shell companies to complete the processing of the fraudulent transactions.

Kaspersky said Prilex provides its malware as a service, selling fraudulent point of sale kits for $3,500 each. The company also said the group has shown a high level of knowledge about credit and debit card transactions that enables them to continually update their tools to circumvent the EMV authorization protocol in new ways.

This means credit card acquirers and issuers must not rely on "security by obscurity," as Kaspersky called it. In other words, the company advised banks to implement all EMV validations but not to underestimate the ability of fraudsters to learn and adapt.