New Trend: The Point-of-Sale System Hack
With electronic payments now outnumbering cash transactions, the Point-of-sale (PoS) system hack is becoming a more common in the world of cyber crime. In recent years, there have been several high profile cases including the notorious $10 million Subway PoS breach, where at least 150 franchises were targeted, as well as the breach of Barnes & Noble, where credit card readers in 63 stores were compromised. Almost all modern businesses now make use of an electronic PoS systems, and with the hacking of these devices on the increase, it is more important than ever to take appropriate steps to secure your customers’ data.
Physical PoS Hacks
In a recent high-profile Canadian case, a criminal carding ring stole PoS machines from several businesses and gained access to the credit card data via Bluetooth. Given that the hacking process only took roughly an hour to complete, it was easy for the hackers to remove a device and return it before businesses reopened the next day. This particular case is believed to have been facilitated by bribing employees to allow access to the devices after business hours. The scheme resulted in the theft of over $7 million from unsuspecting consumers.
If the thieves are sophisticated enough, there is no need to physically remove the PoS terminals; malware can be installed during what appears to be a normal consumer transaction. At the July 2012 Black Hat security conference, a researcher demonstrated how some terminals using a Linux-based operating system had a loophole that did not require firmware updates to be properly authenticated. This allowed the researchers to use an adjusted credit card to install malware onto one terminal during a normal transaction. The malware prompted the terminal to contact a rogue server and download the card skimming software. The demonstration highlighted exactly how vulnerable retailers can be - even the most stringent of physical security measures preventing devices from being tampered with may not be enough to prevent a PoS hack.
Remote PoS Hacks
There are many vulnerabilities within a PoS system - if a system is not properly protected, anyone with an inside knowledge of how the systems work can carry out a hack without much difficulty. Hackers are becoming more skilled, therefore PoS systems that used to be seen as a challenge are not as daunting as before. Because many PoS devices come pre-loaded with an operating system, the inner workings and weaknesses of that system are known to hackers. All they need to do is find an unsecured IP address or hack into a secure Wi-Fi connection if proper protections have not been put in place. A well-known weakness of PoS devices is their Internet printing protocol, which many businesses use for remote printing.
Protecting your business against PoS Hacks
There are some simple and straightforward steps you can take to make your system less accessible to hackers, for example:
Ensure all Wi-Fi connections on your network are secure
Avoid using a Wi-Fi network name that is associated with your business
Implement a lockout system for failed login attempts
Always change the default password for software
Follow best practices on secure password creation
Update your systems as often as possible – manufacturers are usually quick to respond to known vulnerabilities by releasing patches and software updates
However, no matter how many precautions you take, there is still likely to be one or more vulnerabilities that you are unaware of. Invest in the future of your business by hiring a reputable IT company to assess your system and identify your existing security risks.
Written by the technical staff at iCorps Technologies.