Have you ever thought your credit card data is at risk on retail shop? You might probably not. However, it is true because cyber criminal are evolving hacking techniques frequently. At shopping malls or large stores, you may have seen POS (point-of-sale) system, which is a computerized checkout process in which a single computer is connected with several checkout terminals. Modern POS are equipped with pre-installed sales software and card reader and can handle multiple transactions such as sales history, bar code scanners, invoice printers, returns, gift cards, multiple payment types, and promotions.
How Attack Happens on POS System?
Attackers can install a device onto the card reader, which can read customer’s credit card data stored on a magnetic strip. Such process requires special hardware and physical contact to the card reader. This “skimming” technique is not able to perform theft on a large scale. Despite the improvements brought by Payment Card Industry Data Security Standard (PCI DSS), there is still a security gap in POS system. For example, when a customer gives credit card for payment authorization, the data travels through various systems and networks. Here, the data is still encrypted, but inside internal network and system, the data is not encrypted i.e. when retailer swipes the card for making payment. Albert Gonzalez (an American computer hacker) found this gap in 2005 and made data theft for 170 million cards.
Most POS systems run on window and Unix OS, which seems comfort zone for attackers to corrupt system. Such malware also called as memory scraping malware as it reads Track 2 data from the POS terminal. Soon the retailer swipes the card, the malware saves data in a file stored on POS. Afterward, attackers recover this file data.
The next step is to install malware on the POS system. The POS system is connected to corporate network. Therefore, attackers can find weakness to penetrate the web server, by SQL injection or spear phishing email. After that, attackers use hacking tools to gain access to various network segments in POS system. Once the malware installed, attacker clean log files or tamper security software. All these activities will be unnoticed, and ensure that attackers could get a huge amount of data from the POS system.
Selling Card Data on web forums:
Many online forums sell credit and debit card information over the web. CVV2 is the most common method in which seller gives the credit card number with CVV2 security code displayed on the backside of the card. Many sellers offer “Track 2” data- a short name saved on card’s magnetic strip. Therefore, attackers can utilize card at ATM or shopping stores.
CVV2 data price ranges start from $0.1 to $5 per card while Track 2 data is available at up to $100 per card.
What Verizon says about POS?
Verizon has announced in its Data breach report of 2014 that 99% of breaches targeted POS system were from external sources. POS attack was remained on the top three attacks in the year of 2013. Accommodation with 75% ratio and Food services with 31% ratio were the highest targeted industries. All POS attacks were resulted in data exfiltration.
POS Systems & Security Issues:
As we saw, that attacker can easily install malware on POS system due to vulnerability of POS operating system. Such attacks could lead to severe data breaches and require quick action too. Here are some serious issues in POS system that could welcome attacker to perform data theft.
The Payment Card Industry Data Security Standard (PCI DSS) related to POS systems do not need to be implemented network segmentation as it reduces the scope of CDE (card data environment) and the PCI DSS assessment. POS system must allow software updates and maintenance, which allow data to be exported to other external payment processors.
Point-to-Point Encryption (P2PE):
However, credit card data remains unencrypted within internal networks and systems of POS. Therefore, when the data transmits from one system to another system, it remains in a plain text within the memory of POS system. This situation could allow an attacker to steal the data with RAM scraping malware. Point to point encryption removes the fear of malware and credit card data that will remain encrypted while swiping.
Many Point-Of-Sale systems are still using window XP and it must be replaced with the current OS version as older OS have more chances of being exploited. The dead line for window XP was on April 8, 2014; but Microsoft will continue to provide updates to their anti-malware signatures and engines for window XP till July 14, 2015. Attackers can easily execute malware on such outdated OS.
Less usage of EMV:
The use of conventional magnetic stripe card is the main cause of data theft. You should consider some advance cars like Europay, MasterCard, and VISA (EMV) etc…, Which includes additional security layer chip and PIN. These cards use embedded microprocessors to offer strong security and it is difficult to clone.
POS Protection against Attacks:
From the above talk, you have already understood about the severity of malware targeting the POS system. Therefore, it is now up to the POS administrator to protect the system. Here, some optimum precaution steps will keep malware environment away and ensure a secure experience for customers.
Install a Firewall:
Firewall protects the system from outside malicious traffic with its filtration technique. A network-based firewall is an ideal solution for layered security. If it is possible then the traffic should be monitored by an intrusion detection system. Firewall can filter the traffic coming from viruses, worms, or other types of malware specially planned to exploit a POS system.
Use Updated Antivirus:
Antivirus seems an easy option for users and organizations, which can mitigate potential of attack at some degree. Antivirus has its own definition to recognize the malicious software or code; therefore, it blocks such malware code from entering on POS system. Merchants should make their systems up-to-date by updating antivirus software regularly. Merchants should implement a full endpoint protection suite that allows antivirus, HIPS (Host Intrusion Prevention Software), firewall, traffic monitoring, and application while listing.
Update POS system software:
Make sure that POS software is timely updated with software applications. POS system updates should be a part of patch management. The main issue in updating of POS is its high cost; therefore, many companies try to avoid new versions of the system, until any technical issue comes out. Companies can try host intrusion prevention software (HIPS) and firewalls to mitigate a high cost of new POS versions. However, a new version of software comes with security patches and bug fixes that can provide a secure environment to card holders.
Restrict General Internet Access:
POS system is connected with the internet to carry out online transactions. The general use of internet on POS system should be avoided. There should be a firewall system to allow authorized traffic and application proxies must be there to monitor inbound and outgoing traffic.
Turn Off Remote Access:
Attackers can easily take advantage of remote access for login purpose; therefore, prohibits remote access to the POS network. With a firewall configuration, only authorized management workstations should be allowed to get remote access. If the company wants to allow remote access to a public network, there should be a two-factor authentication.
During the set up of POS system, installers use the default password for easy recalling. However, cyber criminals can easily judge the default password and can gain access of the system. It is urged to change the password periodically and try to keep the login and password lengthy and complex.
Protect data with Encryption:
The use of encrypting card reader hardware or cards that have already a built-in Cryptographic processor that can prevent malware to access the POS device. It assumes that there will be no customer’s personal identifiable information visible to the terminal as well as internal networks. Such dedicated hardware devices ensure that the encryption key is never revealed to the terminal.
POS is now a prime target of attackers, as they initially collects the information of customers which is least secured. However, POS systems are not difficult to secure; if merchants take the above security precaution steps. It is unfortunate that data breaches occur on a POS system sometime due to negligence of merchants.