The Virtual 9/11

Point-of-Sale systems may be the ultimate IT Security vulnerability


Most cyber criminals of today have one main objective: to make money. But what if you took the monetary gain out of the equation? What could an organization — with the skills to both gain access to a large number of networks and systems, and to harvest its data — be able to accomplish?

To some, the first critical infrastructure that comes to mind is services such as traffic management, water treatment facilities and power grids. Cyber attacks against these types of environments, creating an outage of services, would certainly cause fear and confusion. While not impossible, performing these acts on a national or global scale would take a great deal of effort and resources. Further, shutting down the traffic management system in Chicago is likely not going to cause traffic problems in San Francisco, unless the fear itself prompts a shutdown in order to “patch” for the attack vector used.

Consider this instead: Accessing millions of systems worldwide could be easier than gaining access to a closed network such as one that controls traffic lights in a metropolitan area. Many point-of-sale (POS) systems in the world have direct access to the Internet with little protection from external attacks.

With this knowledge in hand, a terrorist group develops a piece of malware designed to seek out and infect credit card processing systems through multiple vectors: network, client-side and even social networking. The malware is truly custom and unique and is therefore not detectable by any of the anti-virus software on the market today.

Once installed on a business’s system, the malware performs two main operations: 1) it harvests credit card data in real-time and sends it to one of many different drop sites maintained by the terrorist group; 2) it connects to one of several public IRC networks and waits for commands to be sent to it by its command-and-control (C&C). Over time, the number of infected systems would grow into the millions and essentially create a payment network botnet.

In this scenario, the terrorist group is not yet interested in monetary gain, but would control this network of bots to harvest as much credit card data as possible. The harvesting of the credit card data would be for the purpose of using it to inject fear and confusion in the global payment network. They would not use a single card number for fraudulent purposes. Instead they store and catalog each card by type and the geographic location from which it was obtained. This activity could take place over a year or more, as “phase one” of their operation.

Once the terrorist group amasses a few hundred million unique credit card numbers, they then pick a date to launch phase two of their attack.

The Virtual 9/11 Stage Two: Crippling the Payment Network

In phase two, they begin to communicate with their bots via the C&C network. Using a sophisticated backend system, they systematically inject fraudulent transactions into the payment network via the millions of PC-based POS systems they control; however, they don’t just use random cards from their database at random locations controlled by their botnet.

Instead, they make the transaction seem real based on the geographic location of the target systems compared to the location where the cards were harvested. For example, if they obtain a card from a pizza restaurant in Chicago they would NOT use it at a pub in London; rather, it will be used at a sandwich shop a few blocks away to avoid triggering any fraud detection systems used by the credit card companies.

Over the course of a few hours, hundreds of millions of accounts and a million compromised payment systems could be used to inject more than ten billion dollars in fraud into the payment network. Once discovered, the only likely solution is to suspend all transactions until the situation can be investigated, otherwise there is a risk the fraud will rapidly continue to grow. If not stopped or noticed, the fraud could easily reach a hundred billion dollars or more in less than 24 hours. Essentially, the entire payment network would not be able to differentiate between millions of legitimate transactions and millions of fraudulent ones.