POS FRAUD TRENDS AND COUNTER-ACTIONS TO MASS FRAUD DUNHAM

POS FRAUD TRENDS AND global changes in payment methods, reveals a diverse change
in how people are performing transactions in 2015 and going
COUNTER-ACTIONS TO MASS forth. Pre-paid cards are increasingly being used in retail,
health care, food services, education and the travel industry.
FRAUD
Ken Dunham DOES SIZE MATTER IN POS RISK
iSIGHT Partners, USA
MANAGEMENT?
Email kdunham@isightpartners.com The size of an organization does impact how POS risk
management is performed, as businesses of different sizes
commonly have different needs and risks. Small and large
organizations each have their advantages and disadvantages
ABSTRACT when it comes to POS risk management. Anecdotally, smaller
Point-of-Sale (POS) e-crime fraud was of little discussion organizations typically have simpler solutions and capabilities
until the fall of 2013. Since then, a large number of retail and fewer resources, while larger organizations tend to have
stores in the US have announced major breaches. The number the opposite.
of infected organizations is in the thousands, with credit card Merchants are eager to enable non-cash/card-type payments as
breaches reaching new heights. Some fraudsters are able to a matter of convenience for customers who are increasingly
capture the PIN values associated with debit cards. In some demanding such methods over traditional forms of payment.
incidents, POS fraud had taken place on networks for months Merchant adoption of POS solutions is now much more
before the companies realized they had a security breach. In diverse than it was just a decade ago. Many merchants are
multiple cases it took weeks to properly identify and remove opting to rely upon third-party solutions such as value-added
sophisticated POS malware from compromised networks. resellers or contractors. This has resulted in both dependence
POS fraud didnt start in 2013 but many years earlier. Just as and deferred responsibility for much of the risk management
was seen in former emergent crimeware markets, including associated with POS terminal services, especially amongst
botnets and rootkits, POS fraud is now reaching an apex of small businesses. This can lead to complacence by any
emergence for maximum profits. A new industry group has organization, large or small.
been formed to help battle POS fraud, but will it help? Major Smaller organizations are often understaffed with few
credit card companies in the US have stated that they will be resources to dedicate to properly securing POS payment
moving to Chip-and-PIN technology, but will it stop fraud? systems. In most cases, the reality is that It Works! is all that
How have fraudsters already adjusted to the counter-e-crime is required for daily business operations, alongside meeting
efforts seen globally, and how does that paint a picture of what basic regulatory compliance directly or by farming out POS
will happen in the next five years for POS fraud? risk management out to a third party. Generally speaking,
many small organizations struggle to address POS risk
E-CRIME FOLLOWS AVAILABILITY OF management properly, making it a juggling act to cost
ASSETS effectively manage operational needs alongside any security
needs that go beyond basic regularly compliance.
In the 20th century, global transactions took place in a very
different way from how they take place in 2015. Today, Larger organizations which commonly have significantly
consumers are increasingly reliant upon the use of credit, debit more resources, larger budgets and better capabilities to manage
and pre-paid cards, creating a massive global opportunity for POS risk are more likely to struggle with disparate groups,
e-crime actors. Today, e-crime actors are able to compromise communication and more complex interdependent systems with
and rapidly monetize non-cash transactions. massive amounts of information. It is common for an IT group
and a security group to exist within the same organization but
Capgemini-RBS [1] has revealed in its World Payments Report not necessarily have a tight bridge of operational
that, in 2014, more than 334 billion non-cash transactions took communication between them. While process and procedure
place. Of such transactions, more than 60 per cent were by exist, most large organizations typically suffer from information
card. The Nilson Report [2] for market shares in 2014 reveals overload with so much data flowing in that gaps emerge from
about a 50 per cent increase in use of both credit and debit the busy work of risk management. For example, some
cards and a 200 per cent increase in pre-paid cards from 2009 organizations may simply filter logs and events based on anti-
to 2014. Globally, Visa managed more than 112 billion virus signatures, ensure that patches are rolled and move on,
purchase transactions in 2014, with MasterCard coming in at when in fact more serious threats may exist below the surface if
51 billion and UnionPay at close to 20 billion. UnionPay properly handled during research and response.
(China) grew more than 52 per cent in 2014, with the next
nearest growth rate being that of JCB (Japan) at almost 22 per
cent, followed by MasterCard at 13.6 per cent and Visa at VECTOR OF ATTACK
10.1 per cent, according to the Nilson Report. This anecdotal POS fraud operations start with a vector of attack. This may
look at global transactions reveals growth in non-cash be opportunistic, such as a computer that gets compromised
transactions, with very rapid growth in the Asian market in through a mass spamming, or more targeted such as an insider
particular in the past year. looking to cash in at the expense of their company. Vectors
Consumers are rapidly adopting debit payment systems and commonly involve the following:
pre-paid cards in favour of credit payments, according to Insiders: Embittered, financially struggling and untrusted
NerdWallet [3]. Internationally, debit cards grew nearly 30 per insiders know where to strike the network and have the
cent from 2007 to 2011. This, along with the aforementioned greatest access compared with other actors.

162 VIRUS BULLETIN CONFERENCE SEPTEMBER 2015

Contractors: Infected laptops or VPN connections or Attacks by e-crime actors today are not necessarily highly
compromised credentials used to access client networks sophisticated in terms of technology, but they are increasingly
are a notable vector of intrusion. POS contractors sophisticated regarding how they go about penetrating and
normally have administrative rights to access all exploiting a network once pwnage has taken place. This is
POS-related software and solutions, enabling e-crime an important change in how attacks are taking place in
actors to rapidly leverage such credentials for cashing in general, representing in part more mature adversary skills and
on a compromised POS network. capabilities sets for maximum profit.
Phishing and exploitation: Emails sent to users within
an organization can lead to the compromise of a host SUBVERTED SYSTEMS
and/or network. Social engineering is often used in this Counterintelligence plays a part in e-crime operations in
vector of attack. Exploits may also be used via email 2015. Criminals often know more about our networks than we
attachments, links to a remote hostile website, etc. do. In some cases, they painstakingly identify anti-virus and
Weak security: Weak security, such as universal and security solutions on all levels the host, gateway, etc.
easily guessed passwords, continues to be practised on a Attacks are then customized based on identified risk for
multitude of systems globally. Traditionally, this falls e-crime operations, such as ensuring codes are not detected
into the category of weak, stolen or misused credentials by the anti-virus solution running on a compromised network.
an attackers choice 80 per cent of the time according In the case of netflow operations, e-crime actors develop their
to the 2013 Verizon DBIR [4]. Brute-force attacks own strategies for transferring data in such a way as to fly
against remote desktop applications are associated with under the radar of IDS/IPS-type controls. If POS terminals
the very large-scale Backoff POS campaign reported in are segregated from the Internet they must perform payment
2014. Several tools and tactics exist to brute force such processing in real time through a Local Area Network (LAN).
logins. With an increase in reconnaissance and targeted E-crime actors simply traverse the network from an
attacks, e-crime actors can identify systems of interest Internet-facing computer within the compromised network
and spend day and night attempting to subvert such and then tunnel into the LAN of interest or leverage insider
systems. Hardening against such attacks can be very access as needed to gain access to POS terminals. E-crime
difficult. For example, the default logging system may actors are also smart enough to understand POS systems in
only log bad logins after five failed attempts this can be great detail in some cases exploiting specific processes
exploited by criminals who only perform four attempted running in memory to capture credit card details before they
logins in a session before terminating and attempting are encrypted within a payment processing system. Tools
another login. Such tactics can be automated and/or used for memory scanning and credit card capture do not
deployed through multiple IPs via proxies for maximum have to be very complex; gaining access to a non-Internet
effectiveness. based system, tunnelling through a compromised network,
and then stealing data and performing exfiltration to scale is
Lateral movement: Once inside a network, e-crime increasingly sophisticated and impressive when it comes to
actors are increasingly able to identify host and network larger retail chains suffering POS fraud.
security controls and topology and then move laterally
through the network. This enables them to pivot off
critical systems within network(s) to perform POS TERMINALS MOSTLY WINDOWS
reconnaissance, maintain persistence, as well as perform The majority of POS systems now run some version of
exploitation and exfiltration of stolen data even on POS Microsoft Windows, the most commonly attacked operating
terminals that are not directly Internet-facing. Once a system to date. This also means that e-crime actors have great
remote actor is inside a network they can essentially act opportunity as experienced programmers have existed for this
like a malicious insider, performing keylogging, operating system for many years in the traditional e-crime
grabbing hashes and attempting to brute force access marketplace.
remotely, and gaining access to admin and domain
controller accounts for full access and control within a Most POS malware attacks occur on the POS terminal itself,
network. where sensitive credit data is read before being encrypted.
This makes it easier for sensitive data to be stolen before it is
At the turn of the century, penetration testing and auditing encrypted, which can greatly increase the speed of
was scant at best on most networks. Today, it is part of monetization for e-crime fraud operations. POS malware may
common business operations to audit for possible operational be used anywhere along the chain of the payment process
and security issues that may exist on a network while one behind the scenes of a retail store, including but not limited to
hardens against attack. A wealth of tools and tactics are well backend databases and payment processing, inventory and
developed in the open-source market today, which can be customer relationship management (CRM) solutions.
both used and abused as desired. Maturation of such tools and
technologies, in conjunction with the rapid adoption of global
non-cash transactions, has resulted in e-crime actors
EXPLOSION OF POS FRAUD INCIDENTS
aggressively implementing such strategies into attacks and Significant POS malware and e-crime operations emerged in
exploitation. Specifically, once an e-crime actor has access to 2013 with an explosion of discovery and disclosure in 2014.
a network they are now looking for POS terminal Notable victims include but are not limited to: Target, Home
possibilities, quietly and carefully constructing a more Depot, Neiman Marcus, Kmart, UPS, Staples, Subway,
extensive e-crime attack over a period of days, weeks or even Supervalu, Goodwill, C&K Systems, White Lodging and
months dependent upon the compromised network and Blanchards Liquors. In the Backoff case, the FBI publicly
organization. stated that more than 1,000 businesses were infected with the

VIRUS BULLETIN CONFERENCE SEPTEMBER 2015 163

code. Such operations are very large scale, revealing the code was packaged and sold on the underground market.
automation and scale akin to the explosion of botnets in 2003 In September 2012, news broke of two Romanians having
and 2004 following former one-off attacks with trojans in the admitted to POS retail fraud targeting Subway, in which more
latter part of the 20th century. In 2015, additional breaches than US$10M was stolen. According to public reports, the
have been revealed, such as that of Sally Beauty, as proof of attackers brute-forced passwords to gain access to system(s),
this troubling trend. which they followed up with lateral movement strategies
involving keystroke loggers (including POS/card data) and
A mature marketplace for e-crime POS fraud operations also
network sniffers. By the end of 2012, Dexter had emerged in
exists. Recently, a copy of the LusyPOS RAM-scraping
the wild.
malware was offered for sale on the underground for an
estimated US$2,000. There is a movement in the underground In 2013, POSRAM emerged as part of the KAPTOXA
towards malware as a service, mobile management and campaign. In the same year, VSkimmer, ChewBacca and the
solutions similar to those seen in the white hat world. infamous Alina POS malware families also emerged in the
wild. A convergence of marketplace readiness, following
The explosion of discovery and disclosure in 2013 and 2014 transaction assets and maturation of criminal skills and
is similar to that seen in rootkits early this century. As capabilities led to rapid exploitation of mmon and similar
e-crime attacks follow assets, notable changes in the source codes to subvert POS payment systems.
marketplace take place which result in new tools and tactics,
such as the introduction of stealth and rootkits over a decade By 2014, identification and disclosure of POS malware had
ago. In this case, organizations may have heard about such erupted in the public eye. JackPOS, Decebal, Soray, BrutPOS
risks in the news but they didnt have the necessary tools, and new variants of BlackPOS have all been reported by
tactics and procedures for identifying and removing them various public sources. While no international naming
from their own networks. As a result, the industry was caught convention exists for malware, it is clear from public reports
in a reactive posture, with a flurry of activity taking place that a massive development in diversity and successful
once everyone realized what rootkits looked like and how exploitation took place between late 2013 and 2014.
they were being spread. This naturally led to the discovery of Early codes, such as mmon, were sometimes used with crude
rootkits that had happily been maintaining persistence within scripts such as a batch file to run in a loop, scanning all
a large number of networks for months. processes all the time for possible credit card data. Later
POS systems had never before suffered such attacks and variants became more refined or were deployed in a more
breaches as has been seen in 2013, 2014 and beyond. This has precise manner, scanning only specific processes for possible
resulted in a flurry of activity in the payment processing and credit card data. Some intrusions even involved actors
associated merchant markets to identify and mitigate these performing reconnaissance, following initial intrusion, to then
threats. It has also resulted in law enforcement becoming identify a payment system process in memory, followed by a
educated in this area and identifying victims in investigations custom memory-scraping code designed for that particular
in order to inform them of possible breaches and losses of process and data structure.
which they may not previously have been aware. When the Maturation of POS malware has also taken place in terms of
first breaches appeared in the news it was really big news; the architecture of an attack. Instead of single codes, like
today, another large breach is just noise in the background of backdoor trojans of the late 1990s, POS malware is part of an
all-too-common breach notifications to the public. attack set that may involve backdoor trojans, compression
Meanwhile, a massive tidal wave of POS malware and and transfer utilities, memory scrapers and so on. Naturally,
e-crime attacks continues to slam down on merchant these have matured over time, as can be seen in public reports
networks globally. regarding the KAPTOXA campaign in 2013 and 2014. Bad
actors sometimes make mistakes in programs or need to learn
DIVERSITY AND DEPTH OF POS MALWARE what works for moving laterally through a network and/or
performing exfiltration of stolen data. Updates to such codes
POS malware, such as BlackPOS, Dexter and Alina, serves as naturally take place over time, with improvements seen as
an indicator of an e-crime operations maturity. One of the attacks maintain persistence and/or campaigns mature with
earliest POS malware families to publicly be reported (in new victims. Naturally, this also involves improvements in
2011) was Rdasrv, named after the executable in the attack obfuscation and/or encryption, especially regarding secure
[5], which targeted hospitality and educational institutions. communications for both intrusion and exfiltration of data
More importantly, mmon (presumably for the name memory from a POS payment system network.
monitor) was an early underground source code that was
PoSeidon is a newer POS malware family that has a unique
later used in BlackPOS and other families of code. It still
capability amongst POS malware to date: the ability to
appears in recent threat reports, such as one by Visa [6]. It
self-update and execute new code. In the trojan and bot
contains a command line option to scan a specific process ID
world, this is a common concept used to avoid detection,
or can be used to scan all processes in memory for possible
where new private builds are often uploaded after a more
credit card data. Mmon.pdb is a debugger string and file
public build has been uploaded during the initial infection.
reference that can be seen in codes leveraging this early POS
This helps avoid detection and removal of the malware even
malware derivative.
if the more public build is identified and removed, thus
BlackPOS is fairly well known and is associated with other increasing persistence for the malware in most cases. The
POS malware families such as BrutPOS. BlackPOS was sold ability to run updates and new code, from every component
on the underground in the spring of 2012 with exploitation of a PoSeidon-related code, enables PoSeidon to install other
seen in the wild by that summer. A number of minor variants codes as needed or desired, such as for lateral movement,
exist within the BlackPOS malware family because of how counterintelligence actions, exfiltration or even to install

164 VIRUS BULLETIN CONFERENCE SEPTEMBER 2015

complete new malware families not associated with such strings are collected as part of such operations. Track 1 and
campaigns to date. In short, its much more powerful based Track 2 data are common targets of credit card fraud, but
upon whatever nodes an actor may have access to within a PINs open up the options for monetization, making them an
compromised network. Bad actors are clearly working obvious target for more advanced POS fraud operations going
actively to maintain a moving target that cannot easily be forth.
identified or removed from POS payment systems. In the case
Installation and updates of POS malware will also become
of PoSeidon they are even beginning to clean up stolen data,
increasingly refined and specific. For example, Punkey [8]
for example by using the Luhn formula to verify card validity
installs either a 32-bit or 64-bit version of itself on POS
upon capture.
terminals and can download and update other files as needed
More recent developments include multiple new families of for fraud operations. Another example of innovation and
POS malware and a movement towards automation development is seen in the LogPOS [9] malware, which does
(specifically, combining bot-type malware such as not write stolen data to disk but instead uses a mailslot for
Andromeda with NitlovePOS, as reported in 2015). Another rapid exfiltration of data.
such example is that of the Neutrino Exploit kit used to All forms of netflow, including data transfer of files, programs
spread Neverquest, which has been upgraded to include and stolen data, are moving towards obfuscation and
POS-scraping capabilities [7]. Automation of such operations encryption. This helps all such operations stay under the radar
introduces massive new challenges for the world of POS risk and hinders investigative efforts. This can, in some cases, buy
management, just as was seen with the evolution of backdoor more time for fraudsters seeking to rapidly monetize stolen
trojans to bots close to the turn of the century. This is now credit card data prior to law enforcement or security operations
coupled with rapid monetization, including infrastructure and identifying such stolen or exfiltrated data. Respondents use of
operational capabilities to subvert two-factor authentication whack-a-mole counter actions are clearly utilized by e-crime
(2FA) via mobile devices, capturing one-time-pin (OTP) actors who now use sophisticated schemes for C&C
values from victims, and so on. communications that are constantly changing and on the move.
This is combined with innocuous-looking HTTP traffic and
STEALTH MATTERS IN POS FRAUD data that is not easy to spot amongst a massive amount of
Internet flow on a daily basis in and out of a network.
Stealth in POS e-crime operations is more about network
intrusion and survivability than it is about the POS malware POS fraud operations will continue to escalate globally due to
or keylogging components used in such an attack. In a financial incentives indicative of various geopolitical regions.
common e-crime case, malware is installed on a host as an For example, in Brazil a single individual was able to steal
endpoint. It is relatively easy to identify and mitigate more than 22,000 unique credit cards in over a month using
modularly. In POS e-crime cases, a suite of utilitarian vnLoader and FighterPOS [10]. These types of financial
programs may be used, including legitimate programs incentives are massive, encouraging fraud operations in
commonly used by security professionals. Each component countries where jobs are hard to come by and pay is low, and
may not indicate a POS malware attack but instead look like a where law enforcement against global fraudsters is unlikely.
common downloader trojan or legitimate security tool on a In this anecdotal example, FighterPOS is a tool that can be
computer with unknown means or motive. This helps the purchased [11] for 18 bitcoins, or about US$5,250 an
intrusion to remain undetected in stark contrast with that of, amount that can easily be recouped within the first hour of a
say, a host-based ransomware code that infects a node and/or successful POS network compromise.
encrypts files across the network in a very observable fashion. To make matters worse, a convergence of e-crime and
POS fraud operations are also made stealthy by leveraging espionage means and motives is currently taking place
pen-testing tactics to stay below the radar. In many cases globally. No longer do we have one-off e-crime attacks, but
attackers know the network well and know exactly how to more sophisticated, systematic, long-term campaigns that
move around in and through a network including for involve everything from opportunistic to highly targeted
exfiltration of data. In some cases, intentional systematic attacks for maximum profits. A highly skilled marketplace of
development of such tactics exists within a campaign over fraudsters now exists for performing very sophisticated
time. Even if mistakes are made on some networks, attackers intrusions into networks. Criminals are more than happy to
learn from those mistakes, make improvements to the code spend weeks or months subverting a system when the payout
and reap profits in each attack regardless. POS terminals may can be huge, like that of multiple POS breaches identified in
be configured within some networks as a separate segment the past 18 months.
with no Internet capabilities (LAN only). This may impact
how and when audits and management of such systems take WILL CHIP AND PIN (EMV) AND NEW
place and/or the security postures adopted compared with INDUSTRY COLLABORATION EFFORTS
those of higher risk machines within a network such as an
MAKE A DIFFERENCE?
executives laptop or common users desktops.
Chip and PIN, or EMV, is a different technology solution to
make it harder for fraudsters to monetize stolen credit card
WHAT IS THE FUTURE OF POS MALWARE? data. It was originally developed by three companies after
Original POS malware fraud was simple in most cases, which the EMV standard was named: Europay,
starting with opportunistic scanning of all processes looking MasterCard and Visa. Because much of Europe and related
for possible credit card data. However, memory monitoring time zones already use such technology in their credit cards,
and scraping is becoming more refined and efficient, even the Americas are the low-hanging fruit, as they are the
targeted in some cases, so that only specific processes and/or easiest to monetize overall.

VIRUS BULLETIN CONFERENCE SEPTEMBER 2015 165

Introduction of Chip-and-PIN technology in the US will drive [3] Chen, T. Credit Card and Debit Card Transaction
up merchant and POS risk management operations but will Volume Statistics. NerdWallet.
not stop POS fraud. Rather, it will simply change the game, https://www.nerdwallet.com/blog/credit-card-data/
bringing the Americas up to the global playing field of credit-card-transaction-volume-statistics/.
counter-actions for credit card fraud. In short, it will change [4] 2015 Data Breach Investigations Report (DBIR).
the global risk posture and assumed liabilities related to Verizon. http://www.verizonenterprise.com/DBIR/.
ongoing e-crime credit card fraud.
[5] Wisniewski, C. Targeted attacks steal credit cards
As adoption of EMV in the Americas takes place, changes in from hospitality and educational institutions. Naked
how stolen credit card data is monetized will follow [12]. Security. https://nakedsecurity.sophos.com/2011/11/
Take note that EMV adoption in the Americas will likely start 30/targeted-attacks-steal-credit-cards-from-
with signature authentication only instead of PIN, due to hospitality-and-educational-institutions/.
merchant expense in retooling for the newer cards; this will
delay the hardening of such solutions, maintaining a low- [6] Visa data security alert. Retail Merchants Targeted
hanging fruit status globally until full adoption is completed. by Memory-Parsing Malware UPDATE.
Additionally, it will take a very long time for adoption to be http://usa.visa.com/download/merchants/Bulletin-
complete, as was seen in Canada which started in 2003, only Memory-Parser-Update-012014.pdf.
reaching 85 per cent adoption ten years later [13]. Further, [7] Fisher, D. Neverquest Trojan Adds New Targets,
EMV standards in Europe and the surrounding area have not Capabilities. Threatpost. https://threatpost.com/
stopped credit card fraud. neverquest-Trojan-adds-new-targets-
Consumers in the Americas will be wondering if EMV will capabilities/108076.
make things more secure, but we are highly likely to see [8] Constantin, L. New malware program Punkey
ongoing fraud and identity theft cases emerge despite targets point-of-sale system. PCWorld.
adoption of EMV. Nevertheless, due to how liability for such http://www.pcworld.com/article/2910912/new-
e-crime fraud is assumed in the Americas (little to none for malware-program-punkey-targets-pointofsale-
the consumer), this is not likely to erode confidence in or use systems.html.
of EMV solutions compared with other forms of payment
such as cash. [9] LogPOS New Point of Sale Malware Using
Mailslots. Morphick. http://morphick.com/
Changes in security products will also take place to counter blog/2015/2/27/mailslot-pos.
known and expected e-crime fraud operations. Specifically,
the battle against memory management, encryption and [10] One-Man PoS Malware Operation Captures 22,000
scraping is well under way. Expect obfuscation and Credit Card Details in Brazil. TrendLabs Security
encryption strategies to move into memory management of Intelligence Blog. http://blog.trendmicro.com/
sensitive data as part of payment processing risk trendlabs-security-intelligence/fighterpos-fighting-a-
management. new-pos-malware-family/.

The increased sophistication of e-crime attacks greatly hinders [11] Walker, D. FighterPOS malware strikes over 100
threat identification and mitigation. Multiple compromised terminals in Brazil, captures info for 22K cards. SC
POS environments when informed of a possible breach by Magazine. http://www.scmagazine.com/recent-pos-
federal authorities were unable to identify fraud within their malware-attacks-in-brazil-may-be-work-of-sole-
own networks for weeks if not months. Meanwhile, perpetrator/article/408795/.
exploitation and exfiltration of sensitive POS systems continues [12] Mecia, T. Online fraud may surge after EMV chip
concurrent to the lengthy incident response cycle seen in such card rollout. CreditCards.com.
incidents. E-crime fraudsters are able to create innovative new http://www.creditcards.com/credit-card-news/online-
codes and use encryption and similar solutions to their fraud-surge-emv-1273.php.
maximum advantage to make it next to impossible for [13] Guy Birken, E. Will New Chip-and-PIN Credit
organizations to identify what is being stolen, how it is being Cards Stop Identity Theft? Wise Bread.
done and what might have been breached or compromised. In http://www.wisebread.com/will-new-chip-and-pin-
multi-layered defence plans, e-crime actors are able to subvert credit-cards-stop-identity-theft.
on every level, greatly increasing the need for highly skilled
security technicians alongside mature policies and plans for
dealing with such events, which largely dont exist today in
most merchant networks. The industry needs to move from
panic and awareness mode into operational risk management to
manage ongoing POS e-crime fraud operations.

REFERENCES
[1] 10 Years of Trends and Predictions. Capgemini.
https://www.worldpaymentsreport.com/10-Years-of-
Trends-and-Predictions.
[2] Nilson Repot. http://www.nilsonreport.com/
publication_chart_and_graphs_archive.php?1=1&
year=2015.

166 VIRUS BULLETIN CONFERENCE SEPTEMBER 2015