Your retail stores can't function without point-of-sale systems, but they're one of the greatest information security vulnerabilities. Recent news reports indicate that a Russian cybercrime collective has successfully targeted five separate providers of point-of-sale software in the past month, affecting "hundreds of thousands" of U.S.-based businesses. Significant point-of-sale breaches in the past twelve months have affected hotel groups, fast food chains, and other major brands.
The 2016 Verizon Data Breach Investigations Report (DBIR) found that point-of-sale breaches are among the most common methods of attack. There were a total of 534 incidents included in their research. In some cases, POS attacks may follow phishing incidents once hackers have gained entry to a system. For many affected organizations, poor authentication and vulnerability management can make POS systems an easy target for cybercriminals.
Join us as we review seven reasons why POS systems can be such a risk to retailers and how to manage these vulnerabilities.
1. They Offer an Enormous Payload
Even if your POS systems are relatively well-guarded, they're among the most attractive network elements to hackers. Depending on the volume of retail transactions at your business, they may collect data for hundreds or thousands of unique card transactions each day. In a criminal's mind, the sheer volume of payment card information that runs through a POS system equals a big payday. Symantec research suggests that, on the black market, each unique piece of card data can sell for up to $130.
2. POS May Contain Inherent Vulnerabilities
Ultimately, POS technology is relatively simple. It's typically designed to run on common operating systems such as Windows, Linux, or Unix. This simplicity can be an inherent flaw, meaning that POS malware can be easily designed and used to target a wide array of business systems.
If your POS system runs on Windows, it can be affected by almost any malware package designed for a Windows environment. Due to the broad availability of malware packages for common operating systems, hackers can easily purchase and launch malware attacks on POS systems without any particular sophistication.
In addition, an astounding amount of POS systems are running on OS that is outdated, such as Windows XP. This may mean that your POS OS is unpatched and wide open since supported patches are no longer being released for these options.
3. PCI Compliance May Not Equal Security
While PCI DSS guidelines do include provisions for POS systems under their definition of POS as a "payment application," meeting basic requirements for compliance may not be enough to fully protect your organization.
PCI requirement #6 comes the closest to directly addressing POS security by stating that organizations are required to install security patches, identify vulnerabilities, and practice change control. Other broad PCI requirements, such as using file integrity monitoring and performing penetration testing, are also beneficial to POS security.
However, there are certain critical omissions from PCI guidelines. It is not required that organizations segregate their POS network from environments that contain non-POS systems, which can make it easier for hackers to skim card data after a phishing attack. In addition, the speed at which point-of-sale data can be lifted can make the weekly file integrity monitoring scans required by PCI too great of a risk for organizations to absorb. Real-time monitoring is a significantly more secure option.
4. Mass-Management of POS Systems is Common
In the vast majority of the POS attacks listed in the Verizon DBIR, the target was major hospitality chains. From a hacker's perspective, targeting chains with multiple, geographically distributed POS systems can be a matter of efficiency. If your organization is managing multiple POS remotely from a single location (either internal or external), it's relatively easy for hackers to "push out" RAM scraper malware to each of your POS locations after gaining entry to your management portal.
Does this mean that small businesses with no more than a handful of POS systems can sit back and relax? Not quite. While most breaches occur at large organizations, small companies are still targeted by POS hackers. Analyst David Wallace recently interviewed by Bank Info Security stated that, in general, small businesses have the least protection over POS systems.
5. Vendor-Driven Vulnerabilities are Common
Third-party information security risks are very real and may account for up to 76% of POS attacks. Booz Allen Hamilton's research cites the sheer volume of vendors and management practices as two reasons that countless data breaches occur through external vendors. Drew Wilkinson, senior associate, and cyber risk expert states "a lot of effort is put into setting up the initial relationship...[but] there is no provision for monitoring how or if that changes."
The common trend of lax vendor management could be attributed to poor security policy, a lack of standardized vendor management practices, or a sheer lack of InfoSec resources to adequately deal with vendors.
Both large and small organizations may choose to outsource their POS management to a 3rd-party vendor for convenience or perceived security's sake. However, security journalist Thu Pham highlights that this can be risky, especially if your POS vendor is the target of a phishing attack.
The solution isn't necessarily to dismiss 3rd-party POS management as a security risk. For some organizations, outsourcing this service offers benefits that outweigh the risks. However, smart vendor selection and management practices are critical.
6. Installation May Be Done Incorrectly
Poor implementation practices of POS software can significantly compound inherent risks in this technology. Organizations may rely on an internal or external party to install POS systems that lack the credentials and knowledge to configure security beyond out-of-the-box defaults. Depending on your solution's built-in security, this can be incredibly dangerous.
While security at the time of implementation is crucial, it's not enough to protect your POS systems for a lifetime. However, a focus on both installation and maintenance is probably the best choice. Using a certified Qualified Integrator and Reseller (QIR) technician for POS implementation is not strictly required under PCI guidelines, but it's definitely a best practice.
7. Weak Network Security is Worrisome
Any vulnerabilities in the network that your POS reside on can leave your payment applications wide open to attack, which is why segregation can be a best practice. If you have an application on the network with weak or default credentials, gaining access to your POS may be remarkably easy.
As organizational networks grow more complex, inadequate security policies and controls can lead to "forgotten" infrastructure elements, which may result in vulnerabilities that go undetected for long periods of time. Visa's guidelines for adequate POS network security include:
- Access governance
- Separating internet access from the POS with a firewall
- Policy-based management to prevent unauthorized device access
- Use of strong credentials on all devices and applications on the network
- Isolation of POS applications using network segregation
- Enabling the strongest possible data encryption
- Disabling SSID broadcast
- Disconnection or monitoring of network ports
How to Lower Your Risk of a Point-of-Sale Data Breach
Retailers cannot function without POS systems to process customer transactions. While payment applications are a crucial component of retail, they're also among the most vulnerable. Security pros in the retail and hospitality industries should be aware of the inherent, emerging, and vendor-driven risks that surround this technology.
Cybercriminals can begin scraping your customer's card data just minutes after gaining entry to your network via POS malware, a phishing attack, your vendors, or countless other means. Immediate detection is the only way to protect your customers and your brand.
CimTrak offers one of the most sophisticated solutions for point-of-sale monitoring and security that can be used on a wide array of POS systems, including Windows. This lightweight, real-time solution will continually monitor each of your POS systems for easy management via the admin portal. Security pros can gain the ability to detect, evaluate, and remediate POS risks in real-time.
To learn more about our PCI-compliant tools for point-of-sale security monitoring, click here.
September 6, 2016