In recent years, point-of-sale (PoS) systems have become a point of emphasis for attackers looking to steal credit and debit card information.
From the Kmart breach to the recent attack on Dairy Queen, cybercriminals have sought to compromise PoS systems with malware. These breaches are not just headline grabbers however; they can also serve as reminders for organizations about securing their network.
“While the malware used in these attacks is sophisticated, they are by no means groundbreaking,” said Mark Nunnikhoven, principal engineer of cloud and emerging technologies at Trend Micro. “Attacks such as these highlight the weakness in the security approach taken for these computers.”
Most businesses, he explained, think of a PoS system as a device and not a full-fledged computer. Unlike a desktop computer, PoS systems tend to be replaced every 10 years or more as opposed to every three to five years like other computers, he said.
“These systems run older operating systems like older versions of Windows Embedded, Windows XP, or even DOS,” he said. “To make matters worse, the network they are deployed to is usually treated as isolated so there are minimal security controls deployed.”
“These factors make it relatively simple for a criminal to exploit any number of vulnerabilities if they can get malware onto one or more PoS systems,” he said, adding that criminals gain access to the systems from either social engineering or attacking PoS systems from somewhere else in the network once they have gained a beachhead.
Part of locking that beachhead down requires controlling remote access.
“If your PoS systems use remote access software for tech support purposes, two-factor authentication should be implemented as part of the login process,” said Karl Sigler, threat intelligence manager at Trustwave. “Two-factor authentication adds an extra layer of security in case the contractor chooses an easily-guessable password.”
Paul Ducklin, senior security advisor at Sophos, said high standards need to be set for remote access.
“Whether you outsource your PoS or run it in-house, insist that remote access be managed securely,” he explained. “We hear of breaches where all the PoS terminals were on the company’s one-size-fits-all network, making it easier for crooks to find weak spots and traverse all the PoS systems. We hear of breaches where one remote access password served hundreds of separate branches, even separate customers, and where no two-factor authentication was used. It’s sloppy to share passwords between Gmail and iCloud at home. To share remote access passwords for networks you expect your own customers to accept as secure by faith is worse than sloppy. It’s unacceptable.”
Businesses that hire third-party contractors to install and maintain their PoS systems, should make sure the contractor provides specific information about the security measures taken to protect data processed by the system, Sigler added.
As for the devices themselves, they should be up-to-date and patched, but also monitored for signs of malicious activity, security researchers said.
“Any unusual connectivity to or from any component of a point-of-sale infrastructure should be investigated,” said Curt Wilson, ASERT senior research analyst at Arbor Networks. “Legitimate traffic should be profiled ahead of time and be well understood. Deviations from legitimate traffic should become a high-priority investigative item.”
“For example,” he said, “if point-of-sale machines are centrally managed, and the central management server initiates outbound file transfer via FTP in a manner that deviates from normal operations, this should be flagged immediately. Since attackers leverage lateral network movement in more advanced compromise schemes, defenders must be aware of, and actively monitor any network connectivity that would allow for the exfiltration of sensitive card data.”
Along similar lines, businesses should make sure any data being processed, stored or transmitted across their PoS systems is segmented from the rest of their networks, applications and databases.
“The most useful short term network hardening that can be done is to lock down outbound network access as tight as possible,” said Rush Taggart, chief security officer at CardConnect. “For areas that contain sensitive data, this means an entire lock down. If hackers have already gotten in, this will foil their attack by preventing them from getting any data out. These failed attempts then provide network administrators with indicators that can be used to track down compromised machines and remediate. For legitimate business needs for outbound access from sensitive areas, outbound access must be proxies.”
Perhaps the most important piece of advice is to pay attention to the warning signs.
“For example, in Target’s breach, calls from the company’s own security advisors in India were apparently ignored,” Ducklin said. “This could have shortened the malware outbreak enormously. At Neiman Marcus, systems were apparently reimaged regularly, but the crooks kept breaking back in. Properly comparing the system before and after reimaging would probably have highlighted the differences and uncovered the malware, instead of papering over the cracks as it did. You probably collect gigabytes of logs. Use them.”