Connect with us

Hi, what are you looking for?



Protecting Point-of-Sale Devices in the Face of Attacks

In recent years, point-of-sale (PoS) systems have become a point of emphasis for attackers looking to steal credit and debit card information.

In recent years, point-of-sale (PoS) systems have become a point of emphasis for attackers looking to steal credit and debit card information.

From the Kmart breach to the recent attack on Dairy Queen, cybercriminals have sought to compromise PoS systems with malware. These breaches are not just headline grabbers however; they can also serve as reminders for organizations about securing their network.

“While the malware used in these attacks is sophisticated, they are by no means groundbreaking,” said Mark Nunnikhoven, principal engineer of cloud and emerging technologies at Trend Micro. “Attacks such as these highlight the weakness in the security approach taken for these computers.”

Most businesses, he explained, think of a PoS system as a device and not a full-fledged computer. Unlike a desktop computer, PoS systems tend to be replaced every 10 years or more as opposed to every three to five years like other computers, he said.

Advertisement. Scroll to continue reading.

“These systems run older operating systems like older versions of Windows Embedded, Windows XP, or even DOS,” he said. “To make matters worse, the network they are deployed to is usually treated as isolated so there are minimal security controls deployed.”

“These factors make it relatively simple for a criminal to exploit any number of vulnerabilities if they can get malware onto one or more PoS systems,” he said, adding that criminals gain access to the systems from either social engineering or attacking PoS systems from somewhere else in the network once they have gained a beachhead.

Part of locking that beachhead down requires controlling remote access.

“If your PoS systems use remote access software for tech support purposes, two-factor authentication should be implemented as part of the login process,” said Karl Sigler, threat intelligence manager at Trustwave. “Two-factor authentication adds an extra layer of security in case the contractor chooses an easily-guessable password.”

Paul Ducklin, senior security advisor at Sophos, said high standards need to be set for remote access.

“Whether you outsource your PoS or run it in-house, insist that remote access be managed securely,” he explained. “We hear of breaches where all the PoS terminals were on the company’s one-size-fits-all network, making it easier for crooks to find weak spots and traverse all the PoS systems. We hear of breaches where one remote access password served hundreds of separate branches, even separate customers, and where no two-factor authentication was used. It’s sloppy to share passwords between Gmail and iCloud at home. To share remote access passwords for networks you expect your own customers to accept as secure by faith is worse than sloppy. It’s unacceptable.”

Businesses that hire third-party contractors to install and maintain their PoS systems, should make sure the contractor provides specific information about the security measures taken to protect data processed by the system, Sigler added.

As for the devices themselves, they should be up-to-date and patched, but also monitored for signs of malicious activity, security researchers said.

“Any unusual connectivity to or from any component of a point-of-sale infrastructure should be investigated,” said Curt Wilson, ASERT senior research analyst at Arbor Networks. “Legitimate traffic should be profiled ahead of time and be well understood. Deviations from legitimate traffic should become a high-priority investigative item.”

“For example,” he said, “if point-of-sale machines are centrally managed, and the central management server initiates outbound file transfer via FTP in a manner that deviates from normal operations, this should be flagged immediately. Since attackers leverage lateral network movement in more advanced compromise schemes, defenders must be aware of, and actively monitor any network connectivity that would allow for the exfiltration of sensitive card data.”

Along similar lines, businesses should make sure any data being processed, stored or transmitted across their PoS systems is segmented from the rest of their networks, applications and databases. 

“The most useful short term network hardening that can be done is to lock down outbound network access as tight as possible,” said Rush Taggart, chief security officer at CardConnect. “For areas that contain sensitive data, this means an entire lock down. If hackers have already gotten in, this will foil their attack by preventing them from getting any data out.  These failed attempts then provide network administrators with indicators that can be used to track down compromised machines and remediate. For legitimate business needs for outbound access from sensitive areas, outbound access must be proxies.”

Perhaps the most important piece of advice is to pay attention to the warning signs.

“For example, in Target’s breach, calls from the company’s own security advisors in India were apparently ignored,” Ducklin said. “This could have shortened the malware outbreak enormously. At Neiman Marcus, systems were apparently reimaged regularly, but the crooks kept breaking back in. Properly comparing the system before and after reimaging would probably have highlighted the differences and uncovered the malware, instead of papering over the cracks as it did. You probably collect gigabytes of logs. Use them.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...