In brief - Data can be stolen from POS systems in a variety of ways
Retailers should consider installing antivirus software and firewalls on their POS systems, restricting functionality of POS terminals, restricting remote access and training staff about credit card fraud and POS security.
Internet and POS systems increase threat of credit card fraud
Retailers will doubtless agree with recent RBA research which indicates that Australians increasingly make payments using debit, credit and charge cards. While credit card fraud has always been a problem, the advent of the internet and point-of-sale terminals which are connected to it has intensified this threat. Data published by the Australian Payment Cards Association (APCA) indicates that the incidence of fraudulent transactions in Australia has increased over the last seven years, as has the aggregate value of that fraud. Furthermore, "card-not-present" fraud is an ever-increasing share of credit card fraud.
POS terminals are a goldmine of credit card data
Smaller retailers may be unaware that they are an extremely attractive target for sophisticated gangs of cybercriminals. These gangs see your POS terminal as a goldmine of credit card data which is there for the taking.
There are obvious efficiencies at play here: it is more practical to steal ten thousand credit card numbers from one retailer than to steal one credit card number from ten thousand customers. Recent research estimates that Australian retailers have a 21% chance of experiencing a data breach within the next two years, although not all of those breaches relate to POS terminals.
US retailers' POS terminals hacked
The POS terminals of many high-profile US retailers have been compromised within the last 12 months. Best known of these is the Target data breach, in which the details of roughly 40 million credit cards were stolen. Target itself was unaware of the breach until it was informed by external parties. Customers' card data was also stolen from US retailers Neiman Marcus and Sally Beauty.
Verizon's recent 2014 Data Breach Investigations Report reviewed roughly 200 compromises of POS terminals. Roughly 87% of attacks compromise the terminal and begin extracting data in a matter of minutes. The majority of POS intrusions (85%) are not discovered for weeks and almost all breaches (99%) are discovered by external parties.
What happens to stolen credit card data?
Stolen card data is sold online in dedicated "cardshops"; purchasers then encode the stolen card data onto blank magnetic strip cards. In the United States, fraudulently encoded cards seem to be used for "card present" fraud. The introduction of "chip" credit cards in many countries, including Australia, seems to be one factor behind the increase in the proportion of card-not-present fraud.
How is the data stolen from POS systems?
We would bet that most POS terminals in Australia are indirectly connected to the internet. The attacker's challenge is to exploit the existing infrastructure. Sometimes attackers infiltrate POS terminals via the corporate network. Attackers may exploit a vulnerability in an internet-facing system or dupe an insider into granting them access. They then use a variety of techniques to traverse the corporate network until they access locations from which they can attack the POS systems.
Another less obvious approach is to use a third party's credentials. Many retailers retain third party service providers to handle some aspect of their payment or IT infrastructure. Often these third parties have some form of remote access to their client's network. Attackers can exploit this access if the provider's remote access is improperly configured, or if the provider uses insecure credentials to log in. Of course, other attacks are possible too.
A third method is to guess the passwords protecting the POS terminal or the corporate network. This could be a "brute force" attack, in which a computer program systematically attempts to guess possible passwords ("password", "letmein" and "123456" are notoriously insecure yet frequently used passwords), or one where the manufacturer's default password on network or POS infrastructure has not been changed.
Malware which targets the POS system's memory
Once the attacker has access to the POS system, it is common for some form of malicious software (malware) such as "memory scrapers" to be uploaded. "Memory" refers to the POS system's Random Access Memory (RAM), where computers store data they are currently using.
Attackers target the memory because the card data there is initially unencrypted. Once a memory scraper finds card data, it is saved and eventually relayed to the attacker.
Replacing the POS terminal with a duplicate
Data may also be stolen by physically interfering with a card-processing terminal. This could mean modification of your terminal, or its replacement with a duplicate which behaves normally, but also records card data which is retrieved by criminals. More information can be found on the website of the Australian Payments Clearing Association (APCA).
What can you do to protect your POS systems?
Consider whether the PCI Security Standards are an appropriate solution for your needs, particularly whether point-to-point encryption is an appropriate security solution.
- Give your staff training about credit card fraud and POS security.
- Restrict remote access to your POS systems.
- Limit the integration of your corporate network and your POS systems; this may involve having internal firewalls in the network.
- Require a card security code (CSC) for any online card transactions. This is the unique three or four digit number which is printed on the back of the payment card and which is not stored on the magnetic strip.
- Consider requiring two-factor authentication for administrative changes to critical systems.
- Restrict the functionality of POS terminals, so that they are not used for web browsing, emails or games by employees (each of which could be an attack vector).
- Install antivirus software and firewalls on your POS systems.
This is commentary published by Colin Biggers & Paisley for general information purposes only. This should not be relied on as specific advice. You should seek your own legal and other advice for any question, or for any specific situation or proposal, before making any final decision. The content also is subject to change. A person listed may not be admitted as a lawyer in all States and Territories. © Colin Biggers & Paisley, Australia 2022.