Why Your EPoS Is Your Worst Enemy

Electronic point of sale systems (EPoS, PoS) are extensively used by both retail and hospitality sectors and has made cash management and customer relationship so much more efficient and secure.

However on the downside, these PoS systems are incredibly easy to illegally access using simple techniques and the right knowledge.

Once a bad guy has access to these PoS systems, the PoS systems themselves can be used as an attack vector to subvert and mine your corporate network for valuable customer, intellectual property and other confidential data.

The impact of this compromise goes well beyond the cost and time taken to disinfect and shore up ones technical and physical defences.

While the situation is being resolved, there is often substantial downtime and reduced customer service especially if essential servers have to be taken offline.

From a long term perspective, brand name damage can cause share price drops and customer insecurity especially if the situation is reported in the general news.

In this article we examine the three most common techniques used by hackers to access your POS systems and how the retailer can combat them. The two diagrams from the Verizon security  breach reports on retail and trade show the variety of methods used to obtain confidential data.

As you can see the hacking and physical threats are the most common techniques used to access data, followed by Malware attacks.

Malware

Malware is a broad term used to describe any software that has been deliberately designed and programmed to be hostile toward your computer. Malware will use a variety of methods to conceal and propagate itself to other systems including:

Virus replication – a computer program designed to replicate itself and spread from computer to computer

Trojan horse – like the greek myth, malware will disguise itself as a useful program and when activated compromise the user's device

Rootkit – this is special software that enables stealthy control over a computer system

Spyware – software designed to monitor a user's PC gathering information from internet browsing history to user logins and financial information

Keyloggers – a program that records a user's keystrokes

As of 2014, the majority of malware targeted at PoS systems are programmed to steal credit card data which then enables the credit cards to be cloned and used elsewhere. The recent "Dexter" malware targeted PoS systems, located and stole the system's Track 1 data (which contains the name, the PIN and card's expiration date) and Track 2 data (which contains the account number). Similarly "BlackPoS" steals the credit card data and uploads it to a server online.

Hacking

The core issue with hacking is that retailers simply aren't training their in-store staff to deal with basic security issues. The majority of hacks are opportunistic and don't require much skill and can run undetected for months due to poor user practices.

A huge percentage of the hacks occur on either unprotected networks or networks still using the factory default passwords, settings and user accounts.

Physical attacks

Lastly physical tampering is another way outlaws steal data from retailers and consumers. Card swipers are replaced with "skimmers", devices that record a card's magnetic strip data which can then be used to clone the credit card.

Thieves also tamper with the card reading device by distracting the cashier as they make the swap, or attack a PIN key pad overlay that records the PIN code input.

Conclusion

Data breaches will never disappear entirely; as stronger security measures evolve so will the hacker's tools, however most hacking attacks on PoS systems are due to ignorance on the side of the retailer's staff.

Training a shop's manager in basic IT security would mitigate most malware and hacking threats, similarly physical attacks can be detected with a little training and security know how. 

Coming soon are my guides on strategies to defeat the three most common EPoS enemies followed by three introductory guides on how to defeat malware attacks, physical attacks and hacker attacks.