In recent posts, we have been discussing the problem of point-of-sale (POS) skimmers — devices that thieves add to POS terminals in order to capture payment card numbers, PINs and other sensitive information. Skimmers can be installed in seconds and look almost identical to POS terminals, making them difficult to detect. Skimming at the gas pump is a particular problem for convenience stores and fuel retailers.
However, skimming isn’t the only threat to POS systems. Here are six of the most common vulnerabilities that merchants should be concerned about.
Default Passwords. Security researchers discovered last year that many POS terminals use the same six-digit default password. Even if the default password is more robust, hackers have been known to access manufacturers’ networks and obtain lists of passwords and the devices they’re associated with. It’s important to change the default password on every POS terminal attached to the POS system, ideally using a 12-character passcode with a mixture of letters, numbers and symbols.
Fraudulent Devices. Criminals offer for sale POS terminals that look legitimate but give them direct access to payment card data. There’s no need for the crooks to install a skimmer because the device itself captures the data. Merchants should only obtain POS terminals from a reputable company.
Memory Scraping. Although POS terminals encrypt payment card data, there is a vulnerable point when the data in memory can still be read as clear text. Memory-scraping malware enables hackers to capture the data at this point. Merchants should disable remote access to POS terminals if possible, or use two-factor authentication if remote access is required. Firewalls, breach detection systems and other network security tools should also be used to minimize this threat.
Phishing. Phishing attacks are a primary vector for POS malware. A hacker will send a legitimate-looking email that has a malicious attachment or link. When a user opens the attachment or clicks the link, malware infects the network and enables the hacker to download data or remotely access POS terminals. Employees, contractors, suppliers and others with network access should be educated not to open suspicious emails, even if they appear to be from a legitimate sender.
Out-of-Date Operating Systems. Many POS systems were designed to use a version of Microsoft Windows XP called Windows XP Embedded. Although extended support for Windows XP ended on April 8, 2014, support for Windows XP Embedded Service Pack 3 just ended on January 12, 2016. A POS system running Windows XP Embedded or any other unsupported operating system is noncompliant with the Payment Card Industry Data Security Standard (PCI DSS) and a serious security risk. Such systems should be upgraded immediately.
Unsegmented Networks. If the corporate network is used to send software updates and security patches to POS devices, a hacker who gains access to the network has also gained access to POS data. This problem is particularly acute for restaurants and other hospitality venues that offer Wi-Fi to customers — if the guest Wi-Fi network isn’t properly isolated from the POS system, a hacker could easily get in. Network segmentation is the ideal way to minimize this vulnerability, but multifactor authentication can also be used to protect POS devices.
We will discuss multifactor authentication in more detail in our next post.