Point-of-sale data breaches aren't necessarily simple, which is why they're so pervasive in the retail and hospitality industries. Verizon reports that in 2015, 32% of all security breaches involved point-of-sale (POS) attacks, resulting in millions of stolen customer credit card numbers.
All signs point to 2016 continuing to be an even more challenging year for organizations that rely on POS technology. DarkReading recently stated that Oracle's MICROS, a POS system used by over 330,000 retailers, has been breached by a Russian criminal organization known as the Carbanak Gang. Here's how IT pros can effectively prepare for the worst by understanding the state of POS attacks and early warning signs.
What's Behind Most Point-of-Sale Attacks?
IDG News recently indicated that 94% of point-of-sale breaches originate from insufficient remote access software or policies or poor passwords. The third and fourth most common causes of a POS breach are weak input validation, which opens the door for SQL injections, and unpatched vulnerabilities.
For organizations reducing vulnerabilities and maintaining PCI compliance, understanding the early warning signs of an attack can prevent embarrassing, highly-public security incidents. Join us as we review six key signs that your POS security is being threatened.
1. User Permission Changes
In many POS breaches that originate from weak or stolen user credentials, hackers must "elevate" permissions in order to navigate the POS network and push malware out to terminals. Any sudden change in user access, particularly to administrative or super admin-level permissions, is a sign of unwelcome attention.
2. Failed Login Attempts
POS systems are commonly networked to Windows PCs to allow remote management via Microsoft's Remote Desktop Protocol (RDP). A high number of failed login attempts can reveal that someone is actively trying to brute force their way into your POS system. Any spike in failed login attempts, particularly during unusual times of the day or with strange location metadata should be taken as evidence of an attack in progress.
3. Deviation from Normal Traffic Patterns
While retail sales can be highly variable, depending on the time of day or season, understanding common traffic patterns in POS systems can be key to noticing deviations. By understanding what normal traffic patterns look like, your organization can detect when unusual spikes in traffic require deeper investigation.
4. Unusual Connections
While specific infrastructure can vary slightly, the typical point-of-sale system consists of the following components:
- Credit Card Processor
- Remote Support
- Modem
- Firewall
- Point-of-Sale Terminal(s)
In order to gain access to sensitive cardholder data, hackers may try to gain entry from several possible points in the infrastructure, though the remote support component is likely the most common and effective.
Not only can unusual connections spell trouble, but strange activities between connected components of the POS infrastructure can also be a red flag. Outbound file transfers between your remote support and terminals can be signs of active malware.
5. Physical Tampering with POS Terminals
With modern POS data breaches, physical tampering is a relatively rare occurrence. However, it's certainly not unheard of. In 2014, KrebsOnSecurity wrote that Michael's craft stores' POS breach was caused by physical tampering with terminals at multiple Chicago locations. This form of attack is known as "skimming" and has affected Nordstrom, Barnes & Noble, and others.
Safeguards to prevent physical tampering are a critical component of security for retailers and PCI compliance. Using video security systems and training customer service staff to notice and immediately report tampering can prevent similar issues.
6. Sudden File Changes
Compared with skimming, malware-originated POS attacks are highly effective for cybercriminals and crime collectives. After gaining entry to a third-party vendor or large retailer's network, they can push malware that conducts automated skimming out to all terminals, enabling the collection of millions of unique customer records.
Signs of a malware attack can include many of the components discussed above, including failed log-on attacks or strange traffic patterns. However, unusual file changes are equally common. With the help of sophisticated file integrity monitoring tools, security administrators may notice unplanned file changes on the remote host, or the presence of new data files on the POS terminal after a malware infection is complete.
Are You Prepared for a Point-of-Sale Attack?
Maintaining full PCI compliance 24/7/365 is a critical step toward preventing a POS breach at your organization. By actively monitoring your POS systems against PCI requirements and a healthy baseline, you can detect sudden changes in user activity, permissions, files, connections, and other signs of a breach in progress.
CimTrak offers coverage for a wide range of POS systems, including WindowsXP, Windows Embedded for Point of Service, and POSReady. Our file system agent runs on your remote support, enabling administrators to detect attacks in real-time. When changes are detected, administrators have the ability to deny rights and reverse changes directly from the CimTrak management console.
To learn more about CimTrak's real-time change detection and monitoring for POS systems, download our PCI solution brief today.
