PoS (Point-of-Sale) Hacking: System & Terminal Cheats
With electronic payments now outnumbering cash transactions, the Point-of-Sale (PoS) system hack is becoming more common. In recent years, there have been several high-profile cases including the notorious $10 million Subway PoS breach, where at least 150 franchises were targeted, as well as the breach of Barnes & Noble, where credit card readers in 63 stores were compromised. Almost all modern businesses now make use of electronic PoS systems, making it more important than ever to secure your customers’ data.
Learn More About Protecting Your Business from Point-of-Sale Hacks:
Understanding Point-of-Sale Security Vulnerabilities
Point-of-Sale devices offer an unparalleled level of convenience for businesses and their customers. Whether you're a brick-and-mortar shop or online retailer, these systems provide an integrated hub for processing payments, tracking expenses, and customer relationship management tools. For many businesses, they have become an indispensable part of everyday life. Unfortunately, this reliance has not gone unnoticed. Cyber criminals tend to capitalize on two main vulnerabilities in PoS systems: physical characteristics of the devices, and the IT infrastructure they are connected to. We'll take a look at both.
Remote Point-of-Sale Hacking
Many PoS systems come with inherent vulnerabilities. Oftentimes, these devices are pre-loaded with an operating system and minimal security features. If this OS is well known, cybercriminals may already be familiar with the inner workings and weaknesses of said system. All they need to do is find an unsecured IP address or hack into a secure Wi-Fi connection, to begin exploiting the PoS. A well-known weakness of PoS devices is their Internet printing protocol, which many businesses use for remote printing. PoS systems can also be hacked via:
- Network Attacks - These occur when your PoS devices connect to your main business network, and are either the original target of a hack or a casualty via this connection. It's best practice to keep your PoS devices and regular operational devices on separate networks. That way, if one system is compromised, there isn't a domino effect across your entire organization.
- Brute Force Attacks - This type of attack involves special software scripts that guess passwords by generating strings of numbers and letters. These attacks often take a couple of days and are successful if your PoS passwords are simple or on default settings.
In 2018, Oracle was made news after it was discovered that their PoS Micros systems had a critical vulnerability. This vulnerability provided cybercriminals unauthenticated access to businesses' servers, usernames, and passwords - putting thousands of accounts at risk of financial fraud. If you're going to leverage a PoS system in your business, make sure you're doing so safely.
Physical Endpoint Hacking
In a high-profile Canadian case, a criminal carding ring stole PoS machines from several businesses and gained access to the credit card data via Bluetooth. Given that the PoS hacking process only took roughly an hour to complete, it was easy for the hackers to remove the devices and return them before the businesses reopened the next day. This particular case is believed to have been facilitated by bribing employees, who then turned over the devices after hours. This scheme resulted in the theft of over $7 million from unsuspecting consumers.
If the thieves are sophisticated enough, there is no need to physically remove the PoS terminals; malware can be installed during what appears to be a normal consumer transaction. The fast food chain Wendys was hit with a PoS-based malware attack, in which 300 of their stores were infected with software designed to steal credit card information. The post-mortem showed that malware was installed via third-party vendor credentials.
The retail chain Forever21 was also hit with a breach in which malware spread across PoS devices for seven months before finally being discovered. Again, this memory scraping software was siphoning cardholders' PII. Large corporations in the hospitality, retail, food service, and tourism industries are prime targets for PoS-based cybercrimes due to the availability of financial data and the high volume of traffic.
At a Black Hat security conference, a researcher demonstrated how some terminals using a Linux-based operating system had a loophole that did not require firmware updates to be properly authenticated. This allowed the researchers to use an adjusted credit card to install malware onto one terminal during a normal transaction. The malware prompted the terminal to contact a rogue server and download the card skimming software. The demonstration highlighted exactly how to cheat the system, showing just how vulnerable retailers can be. Even the most stringent of physical security measures preventing devices from being tampered with may not be enough to prevent a PoS hack.
7 Ways to Protect Your Business from Point-of-Sale Hacking
Point-of-Sale systems have radically transformed the retail experience for businesses and customers alike. Don't let cyber criminals prevent your business from making the most of this technology. There are some simple and straightforward steps you can take to protect your system:
- Use encryption to protect your endpoint data.
- Always change default settings for new Point-of-Sale systems.
- Use complicated system passwords, and change them regularly.
- Ensure all Wi-Fi connections on your network are secure and private.
- Implement a lock-out system after a certain number of failed login attempts.
- Keep your Point-of-Sale devices siloed by preventing users from accessing the internet or other applications.
- Regularly update your Point-of-Sale systems. Manufacturers will often release patches and software updates throughout the year to counter new vulnerabilities.
However, no matter how many precautions you take, there's still likely to be one or more vulnerabilities that you are unaware of. Invest in the future of your business by hiring a reputable IT company to assess your system and identify your existing security risks. Request a free business IT consultation today.