How Businesses Can Prevent Point-of-Sale Attacks

Uploaded on 2016-11-16 in FREE TO VIEW, NEWS-Cybersecurity News

Retailers, hotels and restaurants have all been victimized through the same Achilles' heel that cyber-criminals continue to attack: the point-of-sale system, where customers' payment data is routinely processed.  

These digital cash registers are often the target of malware designed to steal credit card numbers in the thousands or even millions. This year, US fast-food vendor Wendy's, clothing retailer Eddie Bauer and Kimpton Hotels have all reported data breaches stemming from such attacks.

Security experts, however, are encouraging a variety of approaches to keep businesses secure from point-of-sale-related intrusions. Here are a few to consider:

Monitoring

Point-of-sale malware can strike in a number of ways. Often, it can involve hackers spreading malicious code by breaching the remote access services designed to maintain the payment processing systems, said John Christly, CISO of Netsurion, a security provider.

These remote access services can be poorly configured with guessable passwords, enabling the hackers to break in and distribute the malware to hundreds or thousands of point-of-sale machines. It also doesn't help that the malware can be tricky to detect, Christly added. Sometimes, it can sneak past antivirus programs, and then stealthily extract payment data, despite the presence of traditional firewalls.

"Then it can send out the stolen data slowly, making it look like normal traffic," Christly said. "A few months will go by, and who knows how many credit cards will have been breached."

Businesses that provide remote access to their point of sale system can consider installing two-factor authentication, to avoid relying only on password logins, Christly said. But to ensure better detection of all possible threats, he advocates that businesses go beyond basic antivirus and firewalls and use tools that can monitor for any unusual activity on the actual point-of-sale machines.

"You have to watch every computer to make sure nothing has changed," Christly said. "Whether that computer is active during the night and communicating data, or if the files are being changed."

These tools have been generally marketed to big brand retailers, but Netsurion said it's been offering them at a low cost to small and medium-size businesses.

Encryption

Although hackers continue to develop ever-craftier point-of-sale malware, the most resilient malicious coding becomes useless if all it steals is encrypted data, said George Rice, a senior director of payments at Hewlett Packard Enterprise Security.

Typically, point-of-sale malware works by reading payment data the moment the card is swiped through the retail checkout machine. It does this by scraping the RAM memory of the point-of-sale terminal, where the payment data can be unencrypted.

"The malware techniques are evolving all the time," Rice said. Criminals also understand that retailers are continually updating their point-of-sale machines for pricing or inventory reasons. "So they (the hackers) are using a variety of vulnerabilities to insert the malware into the system," he added.

However, businesses are far less vulnerable to any data breach if they move to end-to-end encryption, according to Rice. That means encrypting the customer's data throughout the entire payment process, including the moment the credit card is swiped.

"This technique can help close any loopholes and vulnerabilities within the system," Rice said.

Earlier this year, HPE Securty announced a partnership with Ingenico, a maker of payment checkout devices, on an end-to-end encryption product for businesses.

To better protect payment data, Hewlett Packard Enterprise Security also provides tokenization, a process of replacing the processed payment card data with digital placeholders, known as tokens. Both this and encryption can be used in combination to reduce the risk of data theft, Rice said.

Testing

Unfortunately, when businesses select the point-of-sale system they want to buy, they rarely think of security, said Charles Henderson, the head of X-Force Red, a security testing team at IBM.

"Most companies assume when they buy a point-of-sale system, they're buying something secure," Henderson said. Buyers also tend to conflate security with a product's compliance to industry standards, but that's not always true, he added.

Henderson's team routinely tests point-of-sale systems to look for vulnerabilities. Often, his team finds them when the business assumed its system was secure because of its industry compliance.

In addition, many of these point-of-sale products are installed by third-party resellers that may not specialize in security. These factors can put businesses at risk, he said.

To prevent this problem, Henderson advises that businesses hire a security specialist to test that their point-of-sale system for any vulnerabilities. Most mainstream point-of-sale system products can be secured with the right implementation, he added.

That testing also goes for security products. Although encryption and other malware-fighting tools can prevent data breaches in point-of-sale systems, they're practically useless if they aren't properly installed, Henderson said.

"They're not bullet proof. The devil is in the implementation," he said.

Computerworld

 

 

« Cisco says It Will Make The IoT Safe
Overconfident: US Will Win A Cyber War With China »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Black Hat Briefings

Black Hat Briefings

The Black Hat Briefings are a series of highly technical information security conferences that bring together thought leaders from all facets of the infosec world.

softScheck

softScheck

softScheck is an IT security consultancy. Services range from pentesting and compliance testing to security auditing of software and IT infrastructure.

Progress Flowmon

Progress Flowmon

Progress Flowmon (formerly Flowmon Networks) provide high performance network monitoring technology and behavior analytics to enhance network performance and deal with cyber threats.

Center for Strategic Cyberspace & International Studies (CSCIS)

Center for Strategic Cyberspace & International Studies (CSCIS)

CSCIS seeks to advance global cyberspace security and prosperity by providing strategic insights for cyberspace and policy solutions to decision makers.

Sage Designs

Sage Designs

Sage Designs is a provider of SCADA, Security & Industrial Automation products and training programs.

Silverskin Information Security

Silverskin Information Security

Silverskin is a cyber attack company that specializes in having knowledge of the attacker's mindset to identify vulnerabilities and build effective and persistent defences.

Vuntie

Vuntie

Vuntie blend European craftsmanship, performance and open-source technology to deliver cybersecurity services including penetration testing, incident response, training and consultancy.

Granted Consultancy

Granted Consultancy

Granted Consultancy is a business consultancy that specialises in securing funding to support companies with the development and commercialisation of new and innovative products and technologies.

Cyber Intelligence 4U

Cyber Intelligence 4U

Cyber Intelligence 4U is an educational services company that provides two levels of cybersecurity training programs: executive and technical.

CyberSheath Services International

CyberSheath Services International

CyberSheath integrates your compliance and threat mitigation efforts and eliminates redundant security practices that don’t improve and in fact might probably weaken your security posture.

iON United

iON United

iON United is a full-service IT security solutions provider and one of the most trusted names in cybersecurity in Canada.

Axiado

Axiado

Axiado Corporation is a security processor company redefining hardware root of trust with hardware-based security technologies, including per-system AI.

Qrypt

Qrypt

Qrypt has developed the only cryptographic solution capable of securing information indefinitely with mathematical proof as evidence.

Methods

Methods

Methods is the leading digital transformation partner for the UK public sector. We care deeply about making our public services better and have been doing this for over 28 years.

Anetac

Anetac

Developed by seasoned cybersecurity experts, the Anetac Identity and Security Platform protects threat surface exploited via service accounts.

Proton

Proton

Proton provides free encrypted email, calendar, drive, password manager, and VPN services. Building a better Internet.