Most customers in the queue for Wendy’s in Nebraska only intended to grab a burger or a coffee. Luckily for the customers — they did manage to get their food and drinks. But unluckily, by the time they left the cafe, cybercriminals had also accessed the Wendy’s POS (point-of-sale) system and stolen thousands of card records.
How could something like this be possible? Obscurely, the fast-food chain actually had a security solution installed on its POS, but this hadn’t been updated on time — something that ended up putting customer data and the entire business’s reputation on the line.
Attacks on POS systems have been growing over the past few years, with new breaches such as Code Red, SQL, and Slammer moving in, affecting both small retail shops and large hotel and restaurant chains. According to the Verizon Data Breach Investigation report 2016, 525 POS breaches disclosed data in 2015 alone, not to mention the breaches at Target in 2014, which took over 100 000 victims.
So, why do POS breaches remain an extremely lucrative endeavour for cybercriminals?
The primary motivator for cybercriminals is often profit. The physical point-of-sale contains the all-important information found on the magnetic strip of a credit card, meaning it can be cloned and used for fraudulent purchases.
Payment card data can also be sold on the dark web markets and so-called Dump Shops, such as McDumpals, where criminals can even geographically filter cards — making their crimes more convenient.
The UAE retail market, growing by 5 per cent on average each year is expected to reach Dh200 billion by 2017, according to the Dubai Chamber of Commerce and Industry. The tremendous boom in the sector makes UAE an ideal target for cybercriminals scheming POS breaches.
With a considerable number of POS terminals still relying on the magnetic stripe developed 30 years ago, they remain a very soft target. The fruitful combination of POS systems, with internet access and default passwords, makes it easy for attackers to compromise this technology.
If they are not protected with specialist software, POS systems have four basic weaknesses in their architecture:
· Data is stored in the memory.
· Non-encrypted data in transit.
· Non-patched operating systems.
· Configuration (default passwords).
However, keeping several simple precautions will help you safeguard your business from a POS attack.
1. Employee training
According to the “Verizon Breach Report 2015”, social engineering is becoming increasingly popular as a tactic employed by cybercriminals attempting to breach POS systems. Simple calls to trick employees into providing the password data needed can allow a criminal to gain remote access to a POS.
Make sure your employees think twice about their behaviour around your POS systems and ensure that they understand that casually clicking on social media links and email attachments in the workplace, especially on any POS-equipped machines, is unacceptable.
2. Password maintenance
Once a POS system is installed, make sure you change from the default system password. Also, ensure that each employee has their own login to the machine, that individual passwords are not shared, and that these passwords are changed regularly. If an employee ceases to work for the business, make sure their password is removed from the system.
3. Lock-down connections
Ensure any Wi-Fi systems in your business are password-protected, and each internet connection has a firewall.
4. Limit physical access
Since cybercriminals only need a short window of time to tamper with a POS system, make sure the POS machine is staffed at all times. Install a physical barrier around the POS machine to limit a customer’s ability to interact with any credit card readers or USB ports on the POS machine.
5. Ensure the core operating system of each machine is updated
When educating employees, make sure they know that prompts to download Windows system updates and application updates shouldn’t be ignored.
6. Install the best specialised POS security software you can find. Attacks on retailers are driven largely by sophisticated malware, so POS-dedicated protection is vital. It’s also important that any security software is kept up to date, so ensure that all patches or database updates are downloaded promptly.
7. Manage web access
It’s a good idea to completely block employees from browsing the internet on the POS machine. When internet is needed, access to certain websites can be limited.
8. Encrypt and backup
In many countries, any business that saves customer data is required by law to encrypt it. Even if not required, encrypting sensitive payment data is always recommended. In addition, make sure that all business-critical records are backed-up to an external hard-drive or cloud repository.
Encrypting these backup files can also prevent accidental deletion.
With more countries, including the US, moving to EMV cards, the world is becoming more secure. This gives hackers reasons to target ill-prepared POS systems.
To avoid being on the list, retail and restaurant organisations should ensure they have done everything possible to make their customers’ card data safe and sound.
The writer is Solutions Business Lead for Financial/ATM Security, Kaspersky Lab.