Mitigating security threats on POS systems
By Digital News Asia April 1, 2014
- Despite improvements in card security technologies, there are still gaps
- End of support for WinXP will pose increasing security risks on POS systems
ONE of the earliest forms of cybercrime is credit and debit card data theft and this persists until today, security company Symantec said in a statement.
Cybercrime gangs organise sophisticated operations to steal vast amounts of data before selling it in underground marketplaces. Criminals can use the data stolen from a card’s magnetic strip to create clones, and it’s a potentially lucrative business with individual cards selling for up to US$100.
“There are several routes attackers can take to steal this data. One option is to gain access to a database where card data is stored,” said Nigel Tan, director of Systems Engineering at Symantec Malaysia.
“But another option is to target the point at which a retailer first acquires that card data – the point of sale (POS) system,” he added.
Tan said that while many POS transactions are in the form of cash, many of these payments are made by customers swiping their cards through a card reader.
These card readers may be standalone devices but modern POS systems, particularly those in larger retailers, are all-in-one systems which can handle a variety of customer transactions such as sales, returns, gift cards and promotions.
Most importantly from a security standpoint, they can handle multiple payment types, he added.
Given the sensitive financial and sometimes, personal data to which modern POS systems have access, it is an obvious but not always well recognised fact that the security of these systems is of utmost importance, Symantec said.
Security issues in POS systems
Modern POS systems are specially configured computers with sales software installed and equipped with a card reader. Using a process known as ‘skimming,’ card data can be stolen by installing a device onto the card reader which can read the data off the card’s magnetic strip.
As this requires additional hardware and physical access to the card reader, it is difficult to carry out this type of theft on a large scale.
This led to the development of malware which can copy the card data as soon as it’s read by the card reader, Symantec said.
The first of such attacks were seen in 2005 with a series of campaigns orchestrated by Albert Gonzalez, a hacker who stole over 170 million card numbers. Since then, an industry has developed around attacking POS systems, with tools readily available in the underground marketplace.
“Despite improvements in card security technologies and the requirements of the Payment Card Industry (PCI) Data Security Standard (DSS), there are still gaps in the security of POS systems,” said Tan (pic).
“This, coupled with more general security weaknesses in corporate IT infrastructure, means that retailers find themselves exposed to increasingly resourceful and organised cybercriminal gangs,” he added.
Card data theft is likely to continue in the near term, Symantec said. Stolen card data has a limited shelf-life. Credit card companies are quick to spot anomalous spending patterns, as are observant card owners.
This means that criminals need a steady supply of ‘fresh’ card numbers, the company added.
The good news is that retailers will learn lessons from attacks and take steps to prevent the re-occurrence of this type of attack, it said.
Payment technology will also change. Many US retailers are now expediting the transition to Europay, Mastercard and Visa (EMV) standards, or ‘chip and PIN’ (personal identity number) payment technologies.
Chip and PIN cards are much more difficult to clone, making them less attractive to attackers, Symantec said, adding that new payment models may also take over. Smartphones may become the new credit cards as mobile, or NFC (Near Field Communications), payment technology becomes more widely adopted.
“There’s no doubt that cybercriminals will respond to these changes. But as retailers adopt newer technologies and security companies continue to monitor the attackers, large-scale POS thefts will become more difficult and certainly less profitable,” said Tan.
Risks with WinXP end of support
The majority of POS systems run the older Windows XP version of Windows Embedded. This older version is more susceptible to vulnerabilities and therefore more open to attack, Symantec said.
In addition, Microsoft will end technical assistance for the Windows XP operating system on April 8, 2014, including automatic updates and regularly issued security patches.
Systems that continue to use Windows XP after the deadline will face increased security risks, particularly if new vulnerabilities are discovered in the operating system, Symantec said.
Consequently, these systems are susceptible to a wide variety of attack scenarios which could lead to large scale data breaches. Organisations with systems running on Windows XP Embedded (XPE) face a similar situation, but have more time to make their transition as Microsoft will end support for XPE in January 2016.
As many POS systems are running a version of Windows, they are also capable of running any malware that runs on Windows. Thus, attackers do not need specialised skills in order to target POS systems and malware that were not specifically designed for use on POS systems could be easily repurposed for use against them.
“There are many steps that POS operators can take to reduce the risk from attacks against POS systems but above all, the overarching reminder is to implement layered security on the POS systems and throughout the network,” Tan said.
A properly configured endpoint protection product can block even the most determined attacker, and this is especially true when it comes to a POS system.
POS systems actually have a security advantage over a PC as a single function device, Symantec said. Because no one on that device is web browsing, emailing or opening shared drives, the functionally of the machine and the files needed on that machine are limited.
In short, to implement the best protection for Windows-based POS systems, organisations should have layered security as part of the IT architecture, the company argued.
Target: Learning from security breaches on POS systems
Being PCI compliant merely the first step in payment security
Warning, warning: 30 days to WinXP, Office 2003 expiry
Smarter, shadier and stealthier cyber-crime forces dramatic change
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.