How Businesses Can Prevent Point-of-Sale Attacks

Uploaded on 2016-11-16 in FREE TO VIEW, NEWS-News Analysis

Retailers, hotels and restaurants have all been victimized through the same Achilles' heel that cyber-criminals continue to attack: the point-of-sale system, where customers' payment data is routinely processed.  

These digital cash registers are often the target of malware designed to steal credit card numbers in the thousands or even millions. This year, US fast-food vendor Wendy's, clothing retailer Eddie Bauer and Kimpton Hotels have all reported data breaches stemming from such attacks.

Security experts, however, are encouraging a variety of approaches to keep businesses secure from point-of-sale-related intrusions. Here are a few to consider:

Monitoring

Point-of-sale malware can strike in a number of ways. Often, it can involve hackers spreading malicious code by breaching the remote access services designed to maintain the payment processing systems, said John Christly, CISO of Netsurion, a security provider.

These remote access services can be poorly configured with guessable passwords, enabling the hackers to break in and distribute the malware to hundreds or thousands of point-of-sale machines. It also doesn't help that the malware can be tricky to detect, Christly added. Sometimes, it can sneak past antivirus programs, and then stealthily extract payment data, despite the presence of traditional firewalls.

"Then it can send out the stolen data slowly, making it look like normal traffic," Christly said. "A few months will go by, and who knows how many credit cards will have been breached."

Businesses that provide remote access to their point of sale system can consider installing two-factor authentication, to avoid relying only on password logins, Christly said. But to ensure better detection of all possible threats, he advocates that businesses go beyond basic antivirus and firewalls and use tools that can monitor for any unusual activity on the actual point-of-sale machines.

"You have to watch every computer to make sure nothing has changed," Christly said. "Whether that computer is active during the night and communicating data, or if the files are being changed."

These tools have been generally marketed to big brand retailers, but Netsurion said it's been offering them at a low cost to small and medium-size businesses.

Encryption

Although hackers continue to develop ever-craftier point-of-sale malware, the most resilient malicious coding becomes useless if all it steals is encrypted data, said George Rice, a senior director of payments at Hewlett Packard Enterprise Security.

Typically, point-of-sale malware works by reading payment data the moment the card is swiped through the retail checkout machine. It does this by scraping the RAM memory of the point-of-sale terminal, where the payment data can be unencrypted.

"The malware techniques are evolving all the time," Rice said. Criminals also understand that retailers are continually updating their point-of-sale machines for pricing or inventory reasons. "So they (the hackers) are using a variety of vulnerabilities to insert the malware into the system," he added.

However, businesses are far less vulnerable to any data breach if they move to end-to-end encryption, according to Rice. That means encrypting the customer's data throughout the entire payment process, including the moment the credit card is swiped.

"This technique can help close any loopholes and vulnerabilities within the system," Rice said.

Earlier this year, HPE Securty announced a partnership with Ingenico, a maker of payment checkout devices, on an end-to-end encryption product for businesses.

To better protect payment data, Hewlett Packard Enterprise Security also provides tokenization, a process of replacing the processed payment card data with digital placeholders, known as tokens. Both this and encryption can be used in combination to reduce the risk of data theft, Rice said.

Testing

Unfortunately, when businesses select the point-of-sale system they want to buy, they rarely think of security, said Charles Henderson, the head of X-Force Red, a security testing team at IBM.

"Most companies assume when they buy a point-of-sale system, they're buying something secure," Henderson said. Buyers also tend to conflate security with a product's compliance to industry standards, but that's not always true, he added.

Henderson's team routinely tests point-of-sale systems to look for vulnerabilities. Often, his team finds them when the business assumed its system was secure because of its industry compliance.

In addition, many of these point-of-sale products are installed by third-party resellers that may not specialize in security. These factors can put businesses at risk, he said.

To prevent this problem, Henderson advises that businesses hire a security specialist to test that their point-of-sale system for any vulnerabilities. Most mainstream point-of-sale system products can be secured with the right implementation, he added.

That testing also goes for security products. Although encryption and other malware-fighting tools can prevent data breaches in point-of-sale systems, they're practically useless if they aren't properly installed, Henderson said.

"They're not bullet proof. The devil is in the implementation," he said.

Computerworld

 

 

« Cisco says It Will Make The IoT Safe
Overconfident: US Will Win A Cyber War With China »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

See how to use next-generation firewalls (NGFWs) and how they boost your security posture.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Asigra

Asigra

Asigra provides an industry leading cloud backup and recovery software platform called Asigra Cloud Backup.

Venable

Venable

Venable is an American Lawyer 100 law firm with nine offices across the USA, Practice areas include Cybersecurity.

CodeOne

CodeOne

CodeOne provides solutions for website and web app security.

Crosscheck Networks

Crosscheck Networks

Crosscheck products allow you to test your APIs across different protocols and message formats with functional automation, performance, and security testing capabilities.

NITA Uganda (NITA-U)

NITA Uganda (NITA-U)

NITA-U has put in place the Information security framework to provide Uganda with the necessary process, policies, standards and guideline to help in Information Assurance.

IoT M2M Council (IMC)

IoT M2M Council (IMC)

The IMC is the largest and fastest-growing trade organisation in the IoT/M2M sector.

Apozy

Apozy

Apozy replaces a secure web gateway to nullify phishing, malware and impersonation attacks.

SWAT Systems

SWAT Systems

SWAT Systems is an IT support and cyber security managed service provider.

iZOOlogic

iZOOlogic

iZOOlogic protects hundreds of the world’s leading brands, across banking, finance and government from cybercrime. We provide strong cyber defence solutions to protect client digital assets.

BigPanda

BigPanda

BigPanda is the first provider of Autonomous Operations solutions that empower IT Operations at large, complex enterprises.

Billington CyberSecurity

Billington CyberSecurity

Billington CyberSecurity is a leading, independent education company with an exclusive focus on cybersecurity.

Silent Quadrant

Silent Quadrant

Silent Quadrant delivers incomparable cybersecurity consulting, digital transformation, and risk management within our purpose-driven clients - empowering them to be the most resilient entities.

Identity Digital

Identity Digital

Identity Digital simplifies and connects a fragmented online world with domain names and related technologies that allow people and businesses to build, market and own their digital identities.

The Cyber Guild

The Cyber Guild

The Cyber Guild is a not-for-profit organization working to improve the understanding and practice of cybersecurity, and to help raise awareness and education for all.

InfoSec4TC

InfoSec4TC

InfoSec4tc is an online Information Security Courses, Training, and Consultancy provider.

National Cybersecurity Agency (ACN) - Italy

National Cybersecurity Agency (ACN) - Italy

The ACN is the National Authority for Cybersecurity in Italy. the Agency promotes public-private initiatives to strengthen the national cybersecurity and resilience posture.