Most of the customers in the queue for Wendy’s, in Nebraska, only intended to grab a burger or a coffee. Luckily for the customers, they did manage to get their food and drinks. But unluckily, by the time they left the café, cybercriminals had also accessed the Wendy’s POS system and stolen thousands of card records. How could something like this be possible? Obscurely, the fast-food chain actually had a security solution installed on its POS, but this hadn’t been updated on time, something that ended up putting customer data and the entire business’s reputation on the line.
Attacks on POS systems has been growing over the past few years, with new breaches such as Code Red, SQL, and Slammer moving in, affecting both, small retail shops and large hotel and restaurant chains. According to the Verizon Data Breach Investigation report 2016, 525 POS breaches disclosed data in 2015 alone, not to mention the Target breaches of 2014 – which took over 100 000 victims.
Why do POS breaches remain an extremely lucrative endeavor for cybercriminals?
The primary motivator for cybercriminals is often profit. The physical point-of-sale contains the all-important information found on the magnetic strip of a credit card, meaning, it can be cloned and used for fraudulent purchases. Payment card data can also be sold on the dark web markets and so-called Dump Shops, such as McDumpals, where criminals can even geographically filter cards, making their crimes more convenient.
With a considerable number of POS terminals still relying on the magnetic stripe developed 30 years ago, they remain a very soft target. The fruitful combination of POS systems, with Internet access and default passwords, makes it easy for attackers to compromise this technology. If they are not protected with specialist software, POS systems have four basic weaknesses in their architecture:
· Data is stored in the memory
· Non-encrypted data in transit
· Non-patched operating systems
· Configuration (default passwords)
However, keeping several simple precautions will help you safeguard your business from a POS massacre.
Employee training: According to the Verizon Breach Report 2015, social engineering is becoming increasingly popular as a tactic employed by cybercriminals attempting to breach POS systems. Simple calls to trick employees into providing the password data needed, can allow a criminal to gain remote access to a POS. Make sure your employees think twice about their behavior around your POS systems and ensure that they understand that casually clicking on social media links and email attachments in the workplace, especially on any POS-equipped machines, is unacceptable.
Password maintenance: Once a POS system is installed, make sure you change from the default system password. Also, ensure that each employee has his/her own login to the machine, that individual passwords are not shared, and that these passwords are changed regularly. If an employee ceases to work for the business, make sure their password is removed from the system.
Lock-down connections: Ensure every Wi-Fi system in your business is password-protected, and each Internet connection has a firewall.
Limit physical access: Since cybercriminals only need a short window of time to tamper with a POS system, make sure the POS machine is staffed at all times. Install a physical barrier around the POS machine to limit a customer’s ability to interact with any credit card reader or USB ports on the POS machine.
Ensure the core operating system of each machine is updated. When educating employees, make sure they know that prompts to download Windows system updates and application updates shouldn’t be ignored.
Install the best specialised POS security software: Attacks on retailers are driven largely by sophisticated malware, so POS-dedicated protection is vital. To safeguard businesses from the tricks of POS fraudsters, Kaspersky Lab has introduced Kaspersky Embedded Systems Security – a solution designed to protect payment card systems. It’s also important that all security software is kept up to date, so ensure that all patches or database updates are downloaded promptly.
Manage web access. With Kaspersky Small Office Security, business owners can prevent employees from visiting certain types of website (e.g., social media) and from downloading programs. Time limits can also be set on web usage for individual computers, so it’s a good idea to completely block employees from browsing the Internet on the POS machine.
Encrypt and backup. In many countries, any business that saves customer data is required by law to encrypt it. Even if not required, encrypting sensitive payment data is always recommended. In addition, make sure that all business-critical records are backed-up to an external hard-drive or cloud repository. Encrypting these backup files can also prevent accidental deletion.
With new countries, including USA, moving to EMV cards, the world is becoming more and more secure. This gives hackers even more reasons to target ill-prepared POS systems. To avoid being on the list, retail and restaurant organisations should ensure they have done everything possible to make their customers’ card data safe and sound.
This article has been authored by Altaf Halde, Managing Director Kaspersky Lab South Asia