PoS (Point-of-Sale) Hacking: System & Terminal Cheats

With electronic payments outnumbering cash transactions, the Point-of-Sale (PoS) system hack is becoming more common. In recent years, there have been several high-profile cases, including the notorious $10 million Subway PoS breach, where at least 150 franchises were targeted, and the breach of Barnes & Noble, where credit card readers in 63 stores were compromised. Almost all modern businesses now use electronic PoS systems, making securing your customers' data more important than ever.

Learn More About Protecting Your Business from Point-of-Sale Hacks:

Understanding Point-of-Sale Security Vulnerabilities

Point-of-Sale devices offer an unparalleled level of convenience for businesses and their customers. Whether you're a brick-and-mortar shop or online retailer, these systems provide an integrated hub for processing payments, tracking expenses, and customer relationship management tools. For many businesses, they have become an indispensable part of everyday life. Unfortunately, this reliance has not gone unnoticed. Cybercriminals tend to capitalize on two main vulnerabilities in PoS systems: the physical characteristics of the devices and the IT infrastructure they are connected to. We'll take a look at both. 

Remote Point-of-Sale Hacking

Many PoS systems come with inherent vulnerabilities. These devices are often pre-loaded with an operating system and minimal security features. If this OS is well known, cybercriminals may already be familiar with the inner workings and weaknesses of said system. All they need to do is find an unsecured IP address or hack into a secure Wi-Fi connection to begin exploiting the PoS. A well-known weakness of PoS devices is their Internet printing protocol, which many businesses use for remote printing. PoS systems can also be hacked via:

  • Network Attacks - These occur when your PoS devices connect to your main business network and are either the original target of a hack or a casualty via this connection. It's best practice to keep your PoS and regular operational devices on separate networks. That way, if one system is compromised, there isn't a domino effect across your organization.

  • Brute Force Attacks - This attack involves special software scripts that guess passwords by generating strings of numbers and letters. These attacks often take a couple of days and are successful if your PoS passwords are simple or on default settings.

In 2018, Oracle was made news after discovering that their PoS Micros systems had a critical vulnerability. This vulnerability provided cybercriminals unauthenticated access to businesses' servers, usernames, and passwords - putting thousands of accounts at risk of financial fraud. If you'll leverage a PoS system in your business, ensure you're doing so safely. 


Physical Endpoint Hacking

In a high-profile Canadian case, a criminal carding ring stole PoS machines from several businesses and gained access to the credit card data via Bluetooth. Since the PoS hacking process only took roughly an hour to complete, it was easy for the hackers to remove the devices and return them before the businesses reopened the next day. This case is believed to have been facilitated by bribing employees, who turned over the devices after hours. This scheme resulted in the theft of over $7 million from unsuspecting consumers.

If the thieves are sophisticated enough, there is no need to physically remove the PoS terminals; malware can be installed during what appears to be a normal consumer transaction. The fast food chain Wendys was hit with a PoS-based malware attack, in which 300 stores were infected with software designed to steal credit card information. The post-mortem showed that malware was installed via third-party vendor credentials.

The retail chain Forever21 was also hit with a breach in which malware spread across PoS devices for seven months before being discovered. Again, this memory-scraping software was siphoning cardholders' PII. Large corporations in the hospitality, retail, food service, and tourism industries are prime targets for PoS-based cybercrimes due to the availability of financial data and the high traffic volume. 

At a Black Hat security conference, a researcher demonstrated how some terminals using a Linux-based operating system had a loophole that did not require firmware updates to be properly authenticated. This allowed the researchers to use an adjusted credit card to install malware onto one terminal during a normal transaction. The malware prompted the terminal to contact a rogue server and download the card-skimming software. The demonstration highlighted how to cheat the system, showing how vulnerable retailers can be. Even the most stringent physical security measures preventing devices from being tampered with may not be enough to prevent a PoS hack.

How to Protect Your Business from Point-of-Sale Hacking

Point-of-sale systems have radically transformed the retail experience for businesses and customers alike. Don't let cyber criminals prevent your business from using this technology. There are some simple and straightforward steps you can take to protect your system:

  1. Encrypt:
    Use strong encryption to protect data at the endpoint.

  2. Default Settings:
    Always modify the default settings of new PoS systems.

  3. Complex Passwords:
    Implement and regularly update complex system passwords.

  4. Secure Wi-Fi:
    Ensure all network connections are secure and private.

  5. Lock-Out Mechanisms:
    Use lock-out systems after multiple failed login attempts.

  6. Siloed Operations:
    Restrict PoS devices from accessing unnecessary internet or applications.

  7. Regular Updates:
    Stay updated with patches and software updates from manufacturers.

Considering the evolving nature of cyber threats, it's also crucial to consider partnering with a reputable IT firm for regular assessments and security updates.

However, no matter how many precautions you take, you will likely be unaware of one or more vulnerabilities. Invest in the future of your business by hiring a reputable IT company to assess your system and identify your existing security risks. Request a free business IT consultation today.