The speed at which POS system is evolving is momentous. A feature-rich, compact Point-of-Sale system offers business owners and operators complete control over their business. At its most basic level, a POS system operates as a cash register that allows retailers ring up sales and keep a track record of those transactions in their stores.
Currently, Retailers are being vulnerable by a new wave of malware aimed directly at POS systems. The rising intensity of Point of Sale threats has created a perilous environment for retailers seeking to protect their customers’ personal and financial data. POS systems are gradually becoming a soft target for hackers, which is why it’s more significant to consider the security of these systems and the information they store.
To ensure a reliable POS protection platform, it’s essential to embrace a layered security approach across the network to prevent forthcoming attacks.
POS terminal operating modes:
- Dumb Terminal method: Under this method, the terminal is utilized as a pin-pad only. Credit card data is transmitted to the cash register which in-turn demands authorization.
- Smart terminal/Direct method: In this method, transaction is requested directly by the terminal using the internet or phone line. Here, credit card number is not sent to the cash register.
- Wireless network Scenario: Wireless network scenario can imply either dumb terminal method or smart terminal method. However, in this method, a wireless network is utilized for communication.
Common POS Terminal Threats
- Attacks on terminals, firmware, skimmers and inserted hardware.
- Network traffic sniffing.
- Exposure of encryption keys.
- RAM Scrapping attacks.
Attacks against POS systems
The anatomy of an attack usually fluctuates based on the maturity and the defenses of the organization. Attacks against POS systems in mature environments are generally multi-phased and may cover all the stages of the cyber kill-chain. Besides, most of the existing Point of Sale systems are based on a general-purpose operating system, making them more vulnerable to a wide range of attacks scenarios. However, this facilitates cybercriminals to develop tools, malware or activities that can possibly affect a huge amount of victims.
The intricate nature of POS environments has led cybercriminals to create sophisticated attack methodologies. The methodologies used to breach these environments involve multi-stage attacks that usually include the following phases:
An attacker can implement various methods to gain access to a corporate network. Usually, they look for susceptibilities in external-facing systems, such as utilizing an SQL injection on a web server or identifying a peripheral device that still uses the default credentials. Conversely, by sending a spear-phishing email to an individual inside the organization they can attack. The spear-phishing email might comprise a malevolent attachment or a link to a website which installs a back-door program onto the victim’s computer system.
Attackers with access to the network can record and scrutinize information about the Point of Sale environment through the installation of hidden malevolent files. Attackers normally use a range of tools to map out the network to trace systems within the CDE. The ultimate goal of the attacker is to obtain administrative-level credentials that proliferates future attacks, along with the acquirement of information impelling towards unwarranted access of other POS systems. User credentials may be acquired by password-hash extraction, keylogging Trojans, cracking, or by replaying captured login sequences.
Malware which is deliberately built to steal data from POS systems is comprehensively available in the underground marketplace. Network sniffing tools, which allow malware to shift between diverse internal networks and databases, are rooted in the malware. In turn, the attacker can secretly collect and accumulate unencrypted personal data, when credit card payments are processed into the POS system. Alternatively, RAM-scraping malware is also used to accumulate credit numbers since they are read into computer memory. However, this malicious practice continues pulling credit card data until the time comes for exfiltration.
Persistence and stealth
Attack against POS systems usually takes some time as attackers need their code to remain persistent on the compromised terminal. Unlike database breaches where billions of archives are instantly accessible, POS system breaches require the attacker to wait until transactions takes place and then collect the data secretly when customers’ credit cards are swiped in the POS devices’ mag-stripe readers. By using simple techniques, Malware persistence can be achieved. Also this ensures that the malware process is always running in the background and restarts when the terminal restarts. Furthermore, Stealth techniques differ from unsophisticated obfuscation of filenames and procedures to particular security software bypass processes.
Once when the POS malware has captured account details, the attackers may hijack an internal system to act as their staging server. Any data gathered by the RAM-scraping malware will be transmitted to this staging server, where it is collected and stored. At an appropriate time, the attacker may typically move the collected data from the staging server to other systems within the corporate network that have legal external access, such as compromised FTP servers or web hosts. The threat manipulates these POS systems to externally transfer the acquired credit card data to the cybercriminals.
POS attack methods
When POS systems are configured with susceptible versions of POS software, then this can unlock the door to attack. POS systems obtained from vendors, come with vendor-specific software that may possess built-in vulnerabilities. Attackers can leverage these susceptibilities to compromise the POS system and steal credit card data.
Abusing remote access functionality
As per the investigations of manifold breaches, attackers often acquire access to data by utilizing a remote administration facility using default credentials. And during the installation of POS software, these default credentials are added. Employing a RAT and default credentials, an attacker can effortlessly breach POS systems.
Phishing is the most common and powerful method of infection, used to disseminate a lot of POS malware. Typically, phishing emails are transmitted to chosen targets and malware is delivered either as embedded malicious links or as malicious attachments.
Vulnerabilities in host OS of POS systems
Cyber-crooks are infecting the Operating System that powers POS terminals with malware capable of stealing credit card data. Also, cyber crooks only need to compromise certain devices to accumulate credit card data and sell in the underground marketplace.
A malicious insider who has authorized access to POS systems can cause quite a bit of damage to the enterprise and can tremendously infect the environment with POS malware. In certain cases, malevolent employee’s plug-in malware-infected flash drives into servers holding sensitive data to compromise the payment systems.
Typically, attackers implement various methodologies to compromise POS systems and infect them with POS malware in order to target and capture particular card data and exfiltrate the data to another system, possibly a Configurable Network Computing (CnC).
POS malware testing
POS Integrated environment will be evaluated meticulously for the presence of the most common POS Malware infections like;
PA DSS compliance assessment
PA-DSS (Payment Application Data Security Standards) is a set of security requirements that aim to support software vendors to develop secure payment applications. PA-DSS Compliance Assessment aims to secure debit and credit cardholders’ sensitive authentication data such as Magnetic Stripe data, PIN, CVV data, etc. as it is stored, processed or transmitted during transaction processing.
PA DSS comprises of 14 major requirements:
- Do not retain full magnetic stripe, card validation code or value (CAV2, CID, CVC2, CVV2), or PIN block data
- Safeguard stored cardholder data
- Provide secure authentication attributes
- Log payment application activity
- Develop secure payment applications
- Protect wireless transmissions
- Test payment applications to address vulnerabilities
- Facilitate secure network implementation
- Cardholder data must never be stored on a server connected to the Internet
- Facilitate secure remote software updates
- Facilitate safe remote access to payment application
- Encrypt sensitive traffic over public networks
- Encrypt all non-console administrative access
- Maintain instructional documentation/training programs for resellers, customers, and integrators