VISA warns of POS malware incidents at gas pumps across North America
Payments processor VISA says North American merchants who operate gas stations and gas pumps are facing a rash of attacks from cybercrime groups wanting to deploy point-of-sale (POS) malware on their networks.
In two security alerts published in November and December, respectively, VISA said its security team investigated at least five incidents of the sort.
The payments processor said cybercrime groups carried out attacks with the main purpose of gaining access to fuel dispenser merchants’ networks, where they installed POS malware.
POS malware works by continuously scrapping a computer’s RAM for what looks like unencrypted payment card data, which it collects, and then uploads to a remote server.
The VISA Payment Fraud Disruption (PFD) team says cybercrime groups appear to have found a weak spot in how gas stations and gas pump operators work.
While the in-store POS terminals of some merchants might support chip-and-PIN transactions, most of the card readers installed on gas pumps do not.
These gas pump card readers still operate on older technology that can only read payment data from the card’s magnetic stripe.
Data from these outdated card readers is sent unencrypted to the gas station’s main network, where crooks have realized they can intercept it.
VISA documented breaches at two fuel dispenser merchants in a November 2019 security alert, and another three breaches in a December 2019 alert. The two alerts highlight a new target and modus operandi for cybercrime groups.
The attacks on fuel dispenser merchants began over the summer, VISA said. Two of the five attacks were linked to a known cybercrime operation known as FIN8.
VISA said the easiest ways for fuel dispenser merchants to safeguard customers is to either encrypt card data while it’s being transferred across a network or stored in memory or shift to a chip-and-PIN card acceptance policy.
“Fuel dispenser merchants should take note of this activity and deploy devices that support chip[-and-PIN] wherever possible, as this will significantly lower the likelihood of these attacks,” VISA said.
Fuel dispenser merchants have until October 2020 to deploy chip-and-PIN compatible card readers on their gas pumps. Starting October 2020, VISA said liability for any card fraud would shift from itself to the merchants, which will likely motivate many operators to update their gas pump card readers. Until then, many are still vulnerable to attacks.