Understanding the Point-of-Sale Hacking Threat
By Jason Glassberg, co-founder of Casaba
Target’s massive data breach continues to reverberate in the headlines, but in reality it’s just one of countless attacks that affect the retail industry on a daily basis. Whether it’s highly sophisticated malware developed out of Russia, local hit-and-run point-of-sale thieves or insider threats, retailers must adapt to this increasingly risky environment.
First of all, it’s important for retailers to understand that just because you meet PCI compliance doesn’t mean you’re not at risk. PCI is the bare minimum that your company should be doing to protect itself — but it won’t stop today’s more sophisticated attacks.
Here is a quick breakdown of the top hacking threats retailers face, and how to boost your defenses:
• Skimming: This is the ‘traditional’ POS attack. Attackers physically modify the card reader or other POS terminal with additional hardware that can capture Track 2 data from all debit/credit cards. This type of attack has been used in a wide range of retailer hacks, including Nordstrom, Barnes & Noble, numerous gas stations, ATMs, etc. While this is now an outmoded attack due to the rise in POS malware, skimming is still widely used and popular. In the past few weeks, skimming operations have been uncovered in New York City, Albany, N.Y., Tampa Bay, Fla., Cincinnati, San Francisco, etc.
Security Tips: There are several ways retailers can protect against this type of attack - but the simplest method is to simply limit unmonitored physical access to the POS terminals. For example, if the card reader is not physically attached to the checkout counter, it should be locked up when the cash register is not in use.
Retailers should also have managers or security personnel physically inspect the card readers throughout the day for any noticeable signs of tampering. Employee training can also help to reduce the threat, by teaching employees how to spot compromised PIN pads, and common scams criminals use to get access to a POS device.
• POS Malware: One crew can only skim so many retailers at a time — so the preferred method these days is to deploy POS malware into a retailer’s network to infect hundreds or thousands of POS terminals at one time and reduce the physical threat to the attackers. POS malware basically just automates the skimming method with a computer program — the malware infects the POS device (which is usually Windows-based) then collects Track 2 data stored in the device’s memory every time a card is swiped. This type of malware is known as “RAM scraper” malware and is increasingly common in retail networks. The malware saves this captured Track 2 data in its own file on the POS device, which is later removed by the hacker. There are many different types of POS malware out in the wild, but a few that have been discovered include “Dexter,” “BlackPOS,” “ChewBacca,” and “Project Hook.”
Security Tips: Keeping POS software applications updated is critical. Retailers should also disable remote access software on the POS system; segment POS systems so they’re not connected to the Internet; use strong passwords and change them often on POS systems; install POS firewalls; and use Windows antivirus. Another step to consider is to eliminate the Windows-based POS machine altogether, since it’s easy to write malware for the Windows operating system. Instead, connect the POS terminal directly to a payment processor service.
• Breaching the Network: The problem with POS malware is getting it on the actual POS devices. In most cases, these aren’t connected to the Internet, so instead, hackers have to find a way in through the corporate or in-store network. Hackers can employ a wide range of methods to breach this network in order to get their malware onto the POS terminals. They may send “phishing” emails to employees with a poisoned payload, use “social engineering” to trick employees into giving up passwords or network access, leverage a malicious employee, launch SQL injection attacks on a Web server, compromise a third-party vendor with access to the network, or simply exploit a default password on a network device.
Security Steps: Of course, infecting a POS terminal with malware first starts by breaching the retailer’s network security. Since there are many ways to attack the network, as listed above, retailers must have a rigorous and comprehensive security program in place to effectively block these attacks.
Employee training is helpful for preventing breaches via phishing and social engineering — but retailers should take additional steps. Segment your employees’ access to key systems, databases and information so if they’re infected by a phishing email, the infection won’t spread laterally across the network, and social engineering attacks will be less threatening. Companies should perform ongoing security audits and code reviews to look for software vulnerabilities that might enable a SQL injection or other type of attack. They should also review the level of access and security of all third-party vendors that are in their supply chain.
Additionally, retailers should undergo periodic “penetration testing” (also known as “ethical hacking” or “red-teaming”) by a qualified cybersecurity contractor with experience in POS systems to test for weaknesses in their corporate networks that may have gone unnoticed.
Unfortunately, there is no such thing as a 100% safe network — and cybercriminals will constantly put your systems to the test, looking for any vulnerabilities they can exploit. But by being proactive and implementing an aggressive cybersecurity program, retailers can greatly reduce their chances of being compromised, detect breaches early on before they have a chance to escalate and make it harder and more expensive for cybercriminals to attack them, which increases the likelihood that they will move on to softer targets.
Jason Glassberg is co-founder of Casaba, a cybersecurity/ethical hacking firm that consults for retailers, major banks, Fortune 50s/100s/500s. Prior to forming his own company, was the senior technical lead on retail systems for Charles Schwab & Co. He can be reached at email@example.com.