There are so many companies which think that their Point-of-Sales (POS) systems are merely an responsibility of their cashiers who sit behind a sales desk.
They literally forget that their POS systems face multiple-levels of risks, e.g., networking issues, open ports, cyber-attacks, accessibility issues, communication with a chain of their numerous back-end processes. More often these POS systems also communicate with company's most sensitive data, such as Personally Identifiable Information (PII) of their customers.
Your company, in fact every company, should consider its POS systems more accurately as an extension of your company's data-center, a remote branch of your critical applications. You should see them as high-threat environment and devise a targeted security strategy accordingly.
What is POS Security?
POS Security is about creating a safe environment for your customers to make purchases and complete their transactions securely. It is about creating some preventive measures to ward off all unauthorized users from access to electronic payment systems and to reduce the risks associated with fraud or theft of customers' credit card information.
Your POS systems are always an attractive targets for cyber-criminals. You need to fully realize that all POS applications contain some very important customers data, their PII and credit card details, address, mobile number or emails IDs, etc. Your job is to guard this data at all costs.
Attackers may exploit any known vulnerability or use all sorts of social engineering tactics to start with. They may well succeed in installing some sort of malware in your systems which are specifically designed to STEAL credit/debit card details from your POS systems and terminals. Usually such malwares scrape through the memory (RAM) to collect data and then exfiltrate it as per their convenience.
If a malicious threat-actor succeeds in hacking your POS application, they can gain access to thousands or millions of credit/debit cards. They can use this info to use fraudulently or sell on dark web or to any third party. They may gain access to additional applications and systems your company operates with.
The attack on companies or retails POS systems are more frequent than you may like to believe.
Understand The Full Magnitude
As a cybersecurity professional you need to first fully understand the magnitude of the task in case of POS system. Remember, your POS systems pose a very unique attack-surface. They are not like your routine IT systems.
Your POS systems may be installed as 'in-store' terminals, as well as 'public kiosks' and 'self-service stations' in places like shopping malls, airports, and hospitals, Petrol-pumps, and your branches, etc.
They are so much scattered geographically, that you would struggle to keep track of each device individually and to monitor their connections as a group. You would be dealing with lack of resources, logistical difficulties, and many other factors to secure all POS devices. You would struggle to react fast if any breach happens or any vulnerability is found. You might be facing a number of threats, because of so many of your POS solutions would be carrying the vulnerabilities of older operating systems (OS).
If you think that your IT guys would be able to fix everything working remotely, then you are all set to endure a lot of pain. Because more often your remote IT guys won't have right visibility when it comes to being able to accurately see data and communication flows. This creates blind spots which prevent a full understanding of the open risks you are facing across your network of POS systems.
Risks are so high that I cannot stop myself from advising you that -- Do NOT underestimate the risks. I am repeating here that your POS systems are connected to your company's many critical assets. I want you to realize fully that all such devices themselves are highly-exposed, because almost anyone can have access to them. Anyone from a waiter in a restaurant to a passer-by in a department store, can access them. Anyone can download a malicious application in them via USB.
These devices are also vulnerable to remote attacks through internet, because most of them connect to internet also.
So many times, mobile apps of vendors such as Paypal, Paytm, Square, iZettle etc were found to have vulnerabilities, because these apps were using Bluetooth. Even other apps installed on such devices pose another set of threats & vulnerabilities.
Though most system admins allow remote internet access to such devices for the purpose of support and maintenance, but the same thing make them exposed to remote attacks too. A research by Trustwave in 2017 claimed that 62% of attacks on POS environments were completed through remote access.
There is also a notorious malware, named as POSeidon. This malware includes a memory scraper and keylogger, so that credit card details and other credentials can be gathered on the infected machine and sent to the hackers. POSeidon gains access through third party remote support tools such as LogMeIn. From this easy access point, attackers then have room to move across a business network by escalating user privileges or making lateral moves.
There have been number of variants of such POS malwares in past.
The whole point here is that your POS systems are hard to secure, yet they pose very high-risks!
How can you defend against attacks on POS systems?
Your company must make POS security a high-priority.
You must introduce all sorts of preventive measures so that you can protect your POS systems and safeguard transactions of your customers. Such measures include whitelisting applications, limiting POS application risks, ensuring POS software is always up to date, monitoring activity in POS systems, using complex and secure passwords, deploying two-factor authentication (2FA), using antivirus software, and considering physical security measures.
Some specific Best Practices are given below:
You can defend against such attack vectors, if you deploy right technology that is purpose-build to prevent POS malwares. This technology may consist of some whitelisting of specific technology itself, using 'Code Signing' to prevent any tampering to code of software. It may also include using 'Chip Readers', as with chip readers your customers don't have to swipe their credit/debit card at all. It would make the replication of card data difficult for attackers.
You should provide training to your employees about what security incidents may occur and what are your company's POS security policies they need to adhere to.
You should use iPads for POS. Fortinet explains that many high-profile POS attacks have occurred as a result of malware being loaded into a POS system’s memory. This enables the hacker to upload another malware applications and steal data without being spotted by users or retailers. But, crucially, this attack method requires a second application to be running.
As a result, Apple’s iOS systems can help prevent POS attacks because this operating system (OS) can only fully run one application at any time, whereas Windows-based POS devices still rely on multiple applications at the same time. Organizations can, therefore, use iPad POS solutions to run their POS systems and reduce the chances of POS attacks.
This involves ensuring your employees lock down their devices at the end of every working day, diligently keeping track of every corporate device throughout each day, and securing devices in locations that only a few trusted individuals have access to.
Always remember that your POS devices are vulnerable to remotely-executed cyber-attacks. That's why these devices should never connect to internet directly. You should look to restrict the handling of business-critical tasks, such as transactions and payment processing, to secure corporate networks. Whatever the resources they need to connect to, they should access it ONLY VIA secure networks of your company.
Your company should strive hard to become PCI-DSS compliant company. You would be implementing all sorts of security measures to achieve it. Your company must comply on all transactions carried out on card readers, online shopping carts, networks, routers, servers, and paper files.
-------------------------
-------------------------
The your locus-point must be how to gain the 'Visibility'.
Instead of waiting for any breach to happen, you should strive very hard to obtain full-contextual visibility of your POS ecosystem and how different applications communicate with each other in this ecosystem. If you succeed in doing that, then your security teams would surely be accurately identifying all sorts of suspicious activity and where it is taking place.
Kindly write your comments on the posts or topics, because when you do that you help me greatly in designing new quality article/post on cybersecurity.
You can also share with all of us if the information shared here helps you in some manner.
Life is small and make the most of it!
Also take care of yourself and your beloved ones…
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM