Point-of-sale (POS) systems seem to be a growing target for hackers. In early August, security expert Brian Krebs reported on his Krebs on Security site that Oracle’s MICROS POS division had suffered a breach in its customer support portal for companies using its point-of-sale card payment systems.
Attacks like this and a recent data breach involving Eddie Bauer Stores in the U.S. and Canada are just a few examples of hackers targeting POS systems.
Hackers always look for low-hanging fruit, security experts point out, and POS systems are relatively easy targets because they tend to have older, easily hacked security protocols.
“Hackers are going after the path of least resistance,” said Fred Kneip, CEO of CyberGRX, a provider of risk management software. “People have not evolved with the technology.”
What about EMV Technology?
Many large retailers, notably Target, Home Depot and Wal-Mart, have upgraded their POS systems to take EMV (chip) cards, designed to prevent certain types of payment fraud.
Other retailers have yet to activate the EMV capability. A Boston Retail Partners survey published earlier this year found that just 22 percent of retailers currently support EMV, with another 53 percent planning to do so within the next 12 months. And some merchants, primarily smaller ones, still have older POS systems that cannot even accept chip cards.
But a POS system’s ability to accept EMV cards does not affect the type of vulnerability that hackers are targeting, involving outdated operating systems. The new POS terminals did not require the updating of back-end OS systems to attain EMV capability.
POS Security’s Low-hanging Fruit Problem
“Many of the systems are still running Windows XP or other out-of-support operating systems with known vulnerabilities, and there are no patches for them,” said Christopher Budd, global direct communications manager for security company Trend Micro.
A credit union in June filed a class-action lawsuit against restaurant chain Wendy’s in response to a data breach that affected at least a few hundred restaurants, alleging that Wendy’s security systems were outdated, payment card information wasn’t deleted when it was supposed to be, antivirus software wasn’t regularly updated, firewalls weren’t maintained and access to network and credit card data wasn’t monitored.
Unfortunately, this type of careless behavior is not uncommon, security experts say.
Security of their back-end systems isn’t always top of mind for retail merchants, many of whom struggle with profit margins, inventory shrinkage (shoplifting), e-commerce competition and other business issues, Budd said. The back-end systems that are the “brains” of POS terminals are often left unattended.
So, for example, there is no one to prevent a disgruntled employee or manager from using a USB drive to infect the system with malware or to pull customer information or other critical data from the system.
“When people think of hackers, they invariably think about online security,” Budd said. “But the fundamental foundation of security is physical control. If you don’t have that, then you don’t have adequate control.”
Another issue with internal security is that many merchants employ transitional or temporary staff to handle their machines much of the time and they simply don’t heed security protocols, said Mark Shelhart, senior manager of incident response and forensics at Sikich, a technology and managed services firm.
This is particularly true in the hospitality industry, where workers in quick service restaurants and staffs in other establishments tend to have short tenures. So these establishments are particularly attractive to hackers, said Steve McKean, president of TableSafe, a company that sells a solution designed to allow diners at restaurants pay for meals with cards never leaving their possession. The back-end payment systems are centralized, sometimes processing and retaining data for several establishments.
“Merchants need to make sure that customer data isn’t retained in their systems,” McKean said.
Remote Access and Encryption
Additionally, back-end systems typically offer remote access for authorized personnel, but remote access isn’t always locked down to ensure that only authorized personnel have access, said Shelhart, who noted that too many small merchants rely on inexpensive and ineffective firewalls and use simple, easily guessed passwords.
Echoing the thoughts of many other security experts, Shelhart recommended that merchants insist on POS systems that have point-to-point encryption as well as encryption of any data at rest. The encryption helps ensure that, even if a hacker successfully compromises the system, she will not be able to access any useful data.
Importance of Vetting Vendors
Vetting vendors is key, said Shelhart, pointing out that too many merchants trust the vendor’s word rather than doing their own due diligence, often because they don’t understand the potential danger from an unsecure POS system.
“That’s the biggest security gap that we have right now,” he said. “Don’t trust what the vendor is telling you about the system’s security. Do your own homework.”
Vendor vetting is an even bigger issue overseas, particularly in Brazil and China, where some POS systems are infected with malware before they are sold, according to Budd. He advises merchants considering POS purchases to stay with reputable, known vendors rather than buying machines from unknown companies, particularly if the vendor is based in China, Brazil or another country known to have issues with malware-infected terminals.
More Holistic Approach to POS Security Needed
POS systems have always been targets, said Torsten George, vice president of global products and markets for RiskSense, a provider of risk management software. “There’s too much focus on the endpoints and not on the back-end systems. Companies aren’t looking at the application layer or at the database layer.”
Another issue, George said, is that companies rely on siloed security solutions — one to handle security of POS systems, one to handle security of back-end systems and another to handle database systems.
“Organizations need to think more holistically. They need to move away from just focusing on endpoints,” George said. “You need a legion of people to connect all of the dots. The hackers are relying on machines to create the attacks, but we are still relying on humans to prevent the attacks.”
Phillip J. Britt’s work has appeared on technology, financial services and business websites and publications including BAI, Telephony, Connected Planet, Independent Banker, insideARM.com, Bank Systems & Technology, Mobile Marketing & Technology, Loyalty 360, CRM Magazine, KM World and Information Today.