[BreachExchange] Top 8 Security Vulnerabilities Threatening Your SMB's POS System

Inga Goddijn inga at riskbasedsecurity.com
Wed May 4 21:18:45 EDT 2016


http://in.pcmag.com/microsoft-windows-vista/103124/feature/top-8-security-vulnerabilities-threatening-your-sm

In December of 2013, Target acknowledged that a hacker gained access to
more than 70 million of its customer credit and debit card numbers via the
company's point-of-sale
<http://in.pcmag.com/cloud-services/99482/guide/the-best-point-of-sale-pos-software-of-2016>
(POS <http://www.pcmag.com/encyclopedia/term/49444/point-of-sale>) system.
One of the biggest data breaches in US history, the Target hack
<http://in.pcmag.com/news/67832/target-hack-may-have-hit-40-million-credit-debit-c>
cost the company's CEO and CIO their jobs.

Unfortunately for everyone involved, the hack could have been avoided if
only Target executives had implemented the auto-eradication feature within
its FireEye anti-malware
<http://in.pcmag.com/cloud-services/96509/guide/the-best-saas-endpoint-protection-software-of-2016>
system. The FireEye <https://www.fireeye.com/index.html> tool caught the
malware <http://www.pcmag.com/encyclopedia/term/46552/malware> code in
November of that year and could have deleted it from Target's network
before any of the data was pilfered.

Although it's still unclear how the hacker infected Target's network with
the malware, there are many ways to exploit a company's POS system. For
small to midsize businesses (SMBs), the threats are even greater and more
abundant than they are for larger enterprises. This is because most SMBs
don't have the resources to create the necessary security restrictions to
keep hackers at bay (or to take a hit if hackers do infiltrate their
systems). In this article, we'll examine the top eight POS security
vulnerabilities that are threatening SMBs today. We'll tell you not only
what to look out for but how to stay safe.

*1. Vendors Managing Encyption Keys With No Hardware Security Module*
Here's the issue at hand: If your company stores encryption
<http://www.pcmag.com/encyclopedia/term/42594/encryption> information in
the same location where it stores user data, you're putting all of your
eggs in one fragile basket. However, if you physically keep encryption key
data separate from user data, a hacker who gains access to the user data
won't have access to the encryption information.

A hardware security module is a physical device that stores your encryption
data. You can attach this device directly onto your computers or servers to
access the POS data once it's been uploaded to your network. It's another
step in your data offloading, but it's not as difficult as explaining to
your company's legal counsel why your customer data is in someone else's
hands.

*2. Business Networks With Unsegmented POS Data*
If your business is using your corporate network to send system and
security updates to POS data environments and devices, you're putting your
business at serious risk. In this scenario, if a hacker gains access to
your network, he or she has also gained access to all of your POS data.

Companies with deep pockets and IT experts on-hand separate these two
networks and create small pathways from the business network to the POS
data environment in order to make system changes. This is the Fort Knox
version of POS security. However, it is incredibly difficult and expensive
to configure. So, smaller organizations often settle for enabling multifactor
authentication
<http://www.pcmag.com/encyclopedia/term/57825/multifactor-authentication>
(MFA) from the business network to the POS device. This isn't a dream
security scenario but it's the most secure option available for modest
companies.

Another important note here: Coffee shops and restaurants that offer Wi-Fi
<http://www.pcmag.com/encyclopedia/term/54444/wi-fi> to customers should
make sure that their POS devices aren't hooked up to the same network. Once
a hacker sits down, sips his or her latte, and accesses your Wi-Fi, he or
she can then find a way into your POS data environment.

*3. Running on Old Operating Systems*
Not everyone wants to update to Microsoft Windows 10
<http://in.pcmag.com/windows-10/94627/review/microsoft-windows-10>. I get
it. Fine, but if you're still running an old version of Windows, you're
asking for trouble. Microsoft ended support for Windows XP in 2009,
for Microsoft
Windows Vista
<http://in.pcmag.com/microsoft-windows-vista/10173/review/microsoft-windows-vista>
in
2012, and for Microsoft Windows 7
<http://in.pcmag.com/microsoft-windows-7/18494/review/microsoft-windows-7> in
2015—and it will end support for Microsoft Windows 8
<http://www.pcmag.com/article2/0,2817,2392889,00.asp> in 2018. If you've
asked Microsoft for extended support, you'll be safe for at least five
years after the termination of mainstream support. If you haven't extended
your support or if extended support has lapsed (as it has with Windows XP),
it's important to note that Microsoft will no longer add security patches
to fix issues that arise within the operating system
<http://www.pcmag.com/encyclopedia/term/48618/os> (OS). So, if hackers find
an entry point into the software, you're POS data will be exposed.

*4. Default Manufacturer Passwords*
Even if you're a numbers wizard who can memorize the intricate passwords
provided by your POS device manufacturer, it's incredibly important that
you change the password once you've hooked the device up to your software.
That's because hackers have been known to pull lists of these passwords
from the manufacturers' networks and trace them back to your devices. So,
even if you took every precaution possible to secure your data, you're
still leaving the door unlocked to hackers.

*5. Fraudulent Devices*
Make sure you partner with a company with a solid reputation. Otherwise,
you may wind up buying a fraudulent POS system, which is essentially game
over for your company and your customer data. By directly gaining access to
your customer's credit card, these crooks can pull data without you or your
customer knowing anything went wrong. These machines simply tell the
customer that the transaction can't be finalized, leaving the customer to
believe there is a problem with his or her credit card or that there's a
problem with your back-end system. In fact, the machine is simply pulling
in the customer's data without anyone being the wiser.

*6. Malware via Phishing
<http://www.pcmag.com/encyclopedia/term/49176/phishing>*
It's important that you alert your employees not to open suspicious emails.
Hackers embed links in email that, if clicked, give them access to your
employee's computer. Once the hacker has taken control of the machine, he
or she can navigate throughout the network and your servers to gain access
to any data. If you're lucky enough to not store your POS data in the same
network environment, you're still not in the clear as hackers can remotely
access a POS device that's connected to the hijacked computer.

*7. RAM Scraping*
This is an old-fashioned attack that still has a bit of bite. RAM scraping
<http://www.investopedia.com/terms/r/ram-scraping-attack.asp> is a
technique by which attackers rip credit card data from the POS device's
memory before it gets encrypted on your network. As I mentioned before,
keeping your POS systems isolated from your business network should limit
these types of attacks (given that hackers have fewer entry points to POS
devices than they do to your corporate network). However, you should also
tighten your company firewalls to ensure that POS systems are only
communicating with known devices. This will limit the ways in which hackers
can access the data on your POS devices by forcing them to hijack computers
or servers within your network to scrape the RAM.

*8. Skimming*
This is an easy one to ignore as it requires on-the-ground security to
ensure no one sketchy handles your POS devices. Essentially, skimming
<http://www.pcmag.com/encyclopedia/term/64587/skimming> requires hackers to
install hardware onto the POS device, which will then allow them to scan
credit card information. This can also be done via malware if you haven't
followed some of the steps I mentioned earlier. If you run multiple
branches, it's crucial that you monitor how your POS devices are being used
and by whom.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160504/22e34a14/attachment.html>


More information about the BreachExchange mailing list