Why point-of-sale breaches remain a lucrative endeavour for cybercriminals

(c) philipus - 123RF.com

How could something like this be possible? Obscurely, the fast-food chain actually had a security solution installed on its POS, but this hadn't been updated on time – something that ended up putting customer data and the entire business's reputation on the line.

Attacks on POS systems have been growing over the past few years, with new breaches such as Code Red, SQL, and Slammer moving in, affecting both small retail shops and large hotel and restaurant chains. According to the Verizon Data Breach Investigation Report 2016, 525 POS breaches disclosed data in 2015 alone, not to mention the Target breaches of 2014 – which took over 100,000 victims.

So, why do POS breaches remain a lucrative endeavour for cybercriminals?

The primary motivator for cybercriminals is often profit. The physical point of sale contains the all-important information found on the magnetic strip of a credit card, meaning it can be cloned and used for fraudulent purchases. Payment card data can also be sold on the dark web markets and so-called ‘dump shops’, such as McDumpals, where criminals can even geographically filter cards, making their crimes all the more convenient.

(c) tuthelens - 123RF.com

With a considerable number of POS terminals still relying on the magnetic stripe developed 30 years ago, they remain a very soft target. The fruitful combination of POS systems, with Internet access and default passwords, makes it easy for attackers to compromise this technology. If they are not protected with specialist software, POS systems have four basic weaknesses in their architecture:

• Data is stored in the memory
  
• Non-encrypted data in transit
  
• Non-patched operating systems
  
• Configuration (default passwords)

How to safeguard a business from a POS attack

Taking these precautions, provided by cybersecurity company, Kaspersky Lab, will help safeguard your business from a POS attack.

1. Employee training. According to the Verizon Breach Report 2015, social engineering is becoming increasingly popular as a tactic employed by cybercriminals attempting to breach POS systems. Simple calls to trick employees into providing the password data needed, can allow a criminal to gain remote access to a POS. Make sure your employees think twice about their behaviour around your POS systems and ensure that they understand that casually clicking on social media links and email attachments in the workplace, especially on any POS-equipped machines, is unacceptable.

2. Password maintenance. Once a POS system is installed, make sure you change from the default system password. Also, ensure that each employee has their own login to the machine, that individual passwords are not shared, and that these passwords are changed regularly. If an employee ceases to work for the business, make sure their password is removed from the system.

3. Lock-down connections. Ensure any Wi-Fi systems in your business are password-protected, and each Internet connection has a firewall.

4. Limit physical access. Since cybercriminals only need a short window of time to tamper with a POS system, make sure the POS machine is staffed at all times. Install a physical barrier around the POS machine to limit a customer’s ability to interact with any credit card readers or USB ports on the POS machine.

5. Ensure the core operating system of each machine is updated. When educating employees, make sure they know that prompts to download Windows system updates and application updates shouldn’t be ignored.

6. Install the best specialised POS security software you can find. Attacks on retailers are driven largely by sophisticated malware, so POS-dedicated protection is vital. To safeguard businesses from the tricks of POS fraudsters, Kaspersky Lab has introduced Kaspersky Embedded Systems Security – a solution designed to protect payment card systems. It’s also important that any security software is kept up to date, so ensure that all patches or database updates are downloaded promptly.

7. Manage web access. It’s a good idea to completely block employees from browsing the Internet on the POS machine. When internet is needed, access to certain websites can be limited. For example, with Kaspersky Small Office Security, business owners can prevent employees from visiting certain types of website (e.g. social media) and from downloading programmes.

8. Encrypt and back up. In many countries, any business that saves customer data is required by law to encrypt it. Even if not required, encrypting sensitive payment data is always recommended. In addition, make sure that all business-critical records are backed up to an external hard drive or cloud repository. Encrypting these backup files can also prevent accidental deletion.

With more countries, including the USA, moving to EMV cards, the world is becoming more secure. This gives hackers reasons to target ill-prepared POS systems. To avoid being on the list, retail and restaurant organisations should ensure they have done everything possible to make their customers’ card data safe and sound.