The POS breach. They’re the bogeyman on the mind of every consumer when they swipe their card at the check-out counter: POS, or Point of Sale, breaches. With famous examples such as the Target breach of 2013, in which 2000 retail stores lost sensitive financial data for their customers, it is no wonder that the menace of cyber thievery through the conduits of transaction systems are legitimate concerns. To understand why this type of attack is a real threat, it’s important to first understand how and why it keeps happening.
The Objective:
In most every case of a POS breach, the attacker’s goal is to make off with the sixteen digits printed on the front of your credit card. Credit card data goes for big bucks on the cyber black market, so stealing credit card credentials will always be a worthwhile endeavor for cyber criminals. For the last several years, credit and debit transactions have taken the number one spot as the most common form of payment in the United States. With a majority of transactions taking place through plastic, the Point of Sale device has a big target on its chassis.
The Marks:
Cyber criminals aren’t exactly picky about whose data they’ve stolen. Instead, their game is focused on quantity. Therefore when it comes to a POS breach, attackers are only looking for a few factors to designate a quality target: ease of the breach, number of potential victims, and business functions reliant on Point of Sale systems. Certain types of industries are on the chopping block. Usually, those industries include restaurants, hotels, grocery stores, gas stations, and department stores. Perimeter security in these kinds of businesses are often lax and a high volume of credit card transactions means that attackers have a better chance of snagging something.
The Method:
Most POS systems run on a Windows system. This means that POS systems are susceptible to the same vulnerabilities as a Windows-based computer. Upon swipe, a POS stores credit card data, unencrypts that data in order to process the transaction, then stores the transaction data to later be rolled up to corporate for audit. In the case of POS breaches, cyber criminals are focused on inserting themselves between the unencrypting process and the transaction archives.
You may be wondering how malware is delivered to a POS system. Are criminals swiping malware-laced credit cards at the register? Or hacking into the wires out back? No. Unfortunately, the same means and methodology of the everyday hacker work just fine for a POS breach: phishing emails, weak passwords, and cyber security oversights.
In most cases, breachers target the computers connected to the POS machine to gain access. Employees use these machines not only for transactions, but also use these machines to check email, run other Web-facing applications, or just to surf the web when the boss isn’t looking.
Social engineering and a lack of basic security culture can easily turn a computer used as a cash register 95% of the time into a fruitful honeypot for hackers.
The Cure:
PCI Compliance is a 12-step checklist to ensure that your business is safely handling payment cards. Nearly half of the dozen requirements can be accomplished by use of a properly configured and up-to-date firewall device. If your firmware is kept current and your appliance has been configured in a way which leaves no vulnerabilities and blindspots in the network, you should be golden. Further, regularly discussing cyber security and email safety with employees should be a no-brainer.