If nothing else, the breach at Target brought this point home – point-of-sale [POS] systems are firmly on the radar of attackers.
So much so that US-CERT just recently warned retailers to do a better job of protecting their systems.
“In some circumstances, criminals attach a physical device to the POS system to collect card data, which is referred to as skimming,” the organization noted. “In other cases, cyber criminals deliver malware which acquires card data as it passes through a POS system, eventually exfiltrating the desired data back to the criminal. Once the cybercriminal receives the data, it is often trafficked to other suspects who use the data to create fraudulent credit and debit cards.”
“As POS systems are connected to computers or devices, they are also often enabled to access the internet and email services,” the advisory continued. “Therefore malicious links or attachments in emails as well as malicious websites can be accessed and malware may subsequently be downloaded by an end user of a POS system. The return on investment is much higher for a criminal to infect one POS system that will yield card data from multiple consumers.”
In the case of Target, malware was discovered on the company’s POS systems Dec. 15. At that point, Target disabled the malicious code and began the process of notifying card processors and payment card networks. As many as 40 million debit and credit card accounts may have been impacted. But that was just the most recent example of an attack. For example, in 2012, hackers hit the point-of-sale systems at Barnes & Noble and compromised credit card readers at 63 stores.
“In use, POS systems should be isolated from other networks to restrict access to payment data flows, but often are connected to many systems,” said Mark Bower of Voltage Security.
These systems are in constant use around heavy shopping periods like Black Friday, when they are often less frequently patched and updated, he added. To take the profit out of the attacks, savvy retailers are utilizing point-to-point encryption to protect data before it even gets to the POS system, he said.
Related News: Target Confirms Point-of-Sale Malware Was Used in Attack
“If the POS is breached, the data will be useless to the attacker,” he said. “Tokenization can eliminate live data from post authorization retail processes like warranty and returns yet enabling the retail business to still operate as before – even at Black Friday scale. No live data means no gold to steal. Attackers don’t like stealing straw.”
Organizations need to take stock of what devices they have running and what gaps they need to close, said Chris Strand, compliance consultant at Bit9.
“Taking a better approach to automating the vulnerability analysis to get better visibility of the threat landscape and find a solution that allows organizations to see where high priority and critical areas are on those systems,” Strand said.
US-CERT also recommends organizations restrict POS access to the Internet, disable remote access and update POS software applications.
Then there is the prospect of more secure EMV cards, which security experts say may have made the attack on Target a non-starter for those behind it.
“EMV is a big part of the answer and would likely have prevented the Target breach,” noted Chester Wisniewski, senior security advisor at Sophos. “Merchants have been resistant as it requires newer payment terminals, but Target is one of the few who were already EMV-ready. It is currently scheduled to roll out (for most transactions) in the US in the autumn of 2015. It took us about 18 months to fully embrace it here in Canada; let’s hope the US can one-up us.”
Related News: Target Confirms Point-of-Sale Malware Was Used in Attack
Related Insights: PCI DSS 3.0 – The Impact on Your Security Operations
