Visa warns of new info-stealing POS malware; think before swiping your card at a gas station

Visa has warned of cybersecurity groups trying to obtain customers' credit card information by releasing point-of-sale malware at gas stations across North America

Payments processor Visa has warned North American merchants operating gas stations against a new threat from cybercrime groups: a (point-of-sale) POS malware designed to steal their customers' credit card data.

Modus Operandi

The financial services major issued multiple warnings over the last couple of months and reported at least five such incidents. Visa revealed that the attacks are being carried out with the sole intention of gaining access to payment systems (debit or credit card readers) on fuel-dispensing units where the POS malware is installed.

fuel-dispensing unit
Wikimedia Commons

Hackers can gain entry into the payment systems through the gas station's computer using a phishing email or other methods. Once the malicious malware gains access to the system, it gets to work, continuously combing through the machine's RAM for customers' unencrypted credit or debit card information, which it collects before uploading it to a remote server.

While the in-store POS terminals at gas stations might support chip-and-PIN transactions, the card readers on fuel-dispensing units do not. They still run on traditional technology that receives payment information from the card's magnetic stripe.

Who is behind these attacks?

Visa's Payment Fraud Disruption (PFD) team said that the attacks are being carried out by sophisticated cybercrime groups that are exploiting vulnerabilities in how gas stations work and operate.

The company reported two security breaches in an alert issued in November and three incidents in a December alert, pointing out that two out of the five attacks were linked to a cybercrime operation known as FIN8.

How to prevent these attacks?

According to Visa, the easiest way for gas stations to safeguard their customers' card information is to either encrypt the card data while it's being transferred across a network or stored in memory or shift to a chip-and-PIN card acceptance policy.

"Fuel dispenser merchants should take note of this activity and deploy devices that support chip[-and-PIN] wherever possible, as this will significantly lower the likelihood of these attacks," Visa said.

Gas station owners have until October 2020 to employ chip-and-pin card readers on their fuel-dispensing units. After the deadline, Visa says it will not be responsible for any card fraud that takes place at the outlet, in a bid to motivate operators to install new card-reading equipment at their gas stations.

Related topics : Cybersecurity