Visa released a report yesterday on their website (dated March 17) warning merchants about the rising threat of key logger and screen capture attacks.  I went back looking through my archives to see if I’ve written about this danger before, but I think my examples are ones that I typically talk about.  But don’t worry, I’ll put one for you here!

The Smoking Doctor, by lanchongzi

This particular alert from Visa targets software key stroke and screen captures.  At the bottom of page two, Visa puts some MD5 sums for various malware probably obtained while investigating merchant breaches.  They also provide eight mitigation strategies to be used as preventative measures for areas that are likely to be targeted for malware installation.

My real world example comes from a merchant that had the best intentions, but just didn’t think they would be a target for malware.

Everyone is a target, and complacency in security is the pathway to a breach.

This particular merchant ran a delivery business with a relatively small storefront.  He had two registers, and only recently began accepting credit cards.  Since most of the orders were taken over the phone, there was no additional hardware needed to swipe credit cards.  Everything was treated like a card not present transaction in the POS software.

Understanding this was a delivery business, sometimes couriers needed to access map information online.  The only usable computers with displays were the point of sale systems as the storefront’s space limitations and budget prevented the deployment of additional computing resources.  This means that they needed to access the internet from the same machines that processed credit card transactions because there were no other options.

Theoretically, a company with a significant IT staff could find a way to allow POS machines to connect to a map service of choice via proxy through the corporate network.  In this case, however, Windows XP POS devices connected directly to the Internet through the DSL lines terminating at the business.  Anyone on the device could connect to anything on the internet, including “good” sites like Hotmail, and sites that most corporations deem inappropriate.

Getting malware on these machines would be pretty easy now, and depending on the data collected for the CNP transaction the results could be pretty significant.  Especially considering this post demonstrating ways to run executables from PDFs.

Do everything you can to eliminate internet access from machines that store, process, or transmit cardholder data and you will go far to preventing this type of breach.

This post originally appeared on

Possibly Related Posts: