There are too many companies who think that their Point-of-Sales (POS) systems are merely a responsibility of their cashiers who sit behind a sales desk.

 

They literally forget that their POS systems face multiple-levels of risks, e.g., networking issues, open ports, cyber-attacks, accessibility issues, communication with a chain of their numerous back-end processes. More often these POS systems also communicate with company’s most sensitive data, such as Personally Identifiable Information (PII) of their customers.

Your company, in fact every company, should consider its POS systems more accurately as an extension of your company’s datacenter, a remote branch of your critical applications. You should see them as high-threat environment and devise a targeted security strategy accordingly.

What is POS Security?

POS Security is about creating a safe environment for your customers to make purchases and complete their transactions securely. It is about creating some preventive measures to ward off all unauthorized users from access to electronic payment systems and to reduce the risks associated with fraud or theft of customers’ credit card information.

Your POS systems are always an attractive target for cyber-criminals. You need to fully realize that all POS applications contain some very important customers data, their PII and credit card details, address, mobile number or emails IDs, etc. Your job is to guard this data at all costs.

Attackers may exploit any known vulnerability or use all sorts of social engineering tactics to start with. They may well succeed in installing some sort of malware in your systems which are specifically designed to STEAL credit/debit card details from your POS systems and terminals. Usually, such malwares scrape through the memory (RAM) to collect data and then exfiltrate it as per their convenience.

If a malicious threat-actor succeeds in hacking your POS application, they can gain access to thousands or millions of credit/debit cards. They can use this info to use fraudulently or sell it on the dark web or to any third party. They may also gain access to additional applications and systems your company operates with.

Be aware that the attack on companies and their retail POS systems are more frequent than you may like to believe.

Understand The Full Magnitude

If you’re responsible for your company’s cybersecurity efforts, you need to first fully understand the magnitude of the task in case of POS system. Remember, your POS systems pose a very unique attack-surface. They are not like your routine IT systems.

Your POS systems may be installed as ‘in-store’ terminals, as well as ‘public kiosks’ and ‘self-service stations’ in places like shopping malls, airports, hospitals, gas-pumps, your branch locations, etc.

They may be so scattered geographically, that you would struggle to keep track of each device individually and to monitor their connections as a group. You may well be dealing with a lack of resources, logistical difficulties, and many other factors to secure all of your POS devices. You will therefore struggle to react fast if any breach happens or any vulnerability is found.

You might also be facing a number of threats, because of so many of your POS solutions are likely carrying the vulnerabilities of older operating systems (OS).

If you think that your IT guys will be able to fix everything working remotely, then you are set to endure a lot of pain. Because more often your remote IT guys won’t have right visibility when it comes to being able to accurately see data and communication flows. This creates blind spots which prevent a full understanding of the open risks you are facing across your network of POS systems.

Risks are so high that it needs to be loudly and strongly advised that — Do NOT underestimate the risks. It’s worth repeating here that your POS systems are connected to your company’s many critical assets. You need to fully realize that all such devices themselves are highly exposed, because almost anyone can have access to them.

Anyone from a waiter in a restaurant to a passer-by in a department store, can access them. Anyone can download a malicious application in them via USB.

These devices are also vulnerable to remote attacks through the internet, because most of them connect to the internet also.

So many times, mobile apps of vendors such as Paypal, Paytm, Square, iZettle etc were found to have vulnerabilities, because these apps were using Bluetooth. Any other apps installed on such devices pose another potential set of threats & vulnerabilities.

Though most system admins allow remote internet access to such devices for the purpose of support and maintenance, the same thing makes them exposed to remote attacks too. Research by Trustwave in 2017 claimed that 62% of attacks on POS environments were completed through remote access.

There is also a notorious malware, named as POSeidon. This malware includes a memory scraper and keylogger, so that credit card details and other credentials can be gathered on the infected machine and sent to the hackers.

POSeidon gains access through third party remote support tools such as LogMeIn. From this easy access point, attackers then have room to move across a business network by escalating user privileges or making lateral moves.

There have been number of variants of such POS malwares in past.

The whole point here is that your POS systems are hard to secure, yet they pose very high-risks!

HOW CAN YOU DEFEND AGAINST ATTACKS ON POS SYSTEMS?

If you are involved in any level of retail related sales than your company must make POS security a high priority!

You must introduce all sorts of preventive measures so that you can protect your POS systems and safeguard transactions of your customers. Such measures include whitelisting applications, limiting POS application risks, ensuring POS software is always up to date, monitoring activity in POS systems, using complex and secure passwords, deploying two-factor authentication (2FA), using antivirus software, and considering physical security measures.

Some specific Best Practices are given below:

You can defend against such attack vectors, if you deploy the right technology that is purpose-built to prevent POS malwares. This technology may consist of some whitelisting of specific technology itself, using ‘Code Signing’ to prevent any tampering to code or software. It may also include using ‘Chip Readers’, as with chip readers your customers don’t have to swipe their credit/debit card at all. It would make the replication of card data difficult for attackers.

You should provide training to your employees about what security incidents may occur and what are your company’s POS security policies that they need to adhere to.

You should use iPads for POS. Fortinet explains that many high-profile POS attacks have occurred as a result of malware being loaded into a POS system’s memory. This enables the hacker to upload another malware application and steal data without being spotted by users or retailers. But crucially, this attack method requires a second application to be running.

As a result, Apple’s iOS systems can help prevent POS attacks because this operating system (OS) can only fully run one application at any time, whereas Windows-based POS devices still rely on multiple applications at the same time. Organizations can, therefore, use iPad POS solutions to run their POS systems and reduce the chances of POS attacks.

This involves ensuring your employees lock down their devices at the end of every working day, diligently keeping track of every corporate device throughout each day and securing devices in locations that only a few trusted individuals have access to.

Always remember that your POS devices are vulnerable to remotely executed cyber-attacks. That’s why these devices should never connect to the internet directly. You should look to restrict the handling of business-critical tasks, such as transactions and payment processing, to secure corporate networks.

Whatever the resources they need to connect to, they should access it ONLY VIA secure networks of your company.

Your company should strive hard to become PCI-DSS compliant company. You would be required to implement all sorts of security measures to achieve it. Your company must comply on all transactions carried out on card readers, online shopping carts, networks, routers, servers, and paper files.

 

To learn more about all the options available to you for meeting your organization’s data protection and network security requirements for your POS systems simply ask us at FreedomFire Communications.

Leave a Reply