Introduction:
Point of Sale (POS) systems
are used to process transactions when a consumer makes a payment in exchange of
goods or services from a retailer. POS systems consist of hardware and
software. Hardware is used to make the actual payment by swiping a credit or
debit card. The software is linked to the hardware and it informs on the action
to be taken on the received data.
The hardware mainly
consists of Magnetic Strip Reader (MSR) and Personal Identification Number
(PIN) pads. Credit / debit cards can be inserted in the POS systems using
either MSR or PIN pads. POS systems are available in different types depending
on the needs of retailers. The three main types of POS systems available are
for desktop, mobile and cloud.
Security Concerns:
POS systems have been
the target of the cyber criminals since a long time. There are numerous ways in
which the attack can take place. The attackers may transmit malware to steal
card information or attach a physical device to collect card data. There are
three different areas which must be protected; data in transit; data in memory
and data at rest.
Data in transit is the
data which is passed through the network connections between different systems
which process the data. This data must be encrypted so that attackers are not
able to misuse the card information.
Data in memory is the
data which is entered into the POS system via some input device. If the
attacker has access to the POS system, this data is nearly impossible to
protect.
Data at rest is the card
information stored in the system at any given point of time. The best way to
protect this data is not to store it at all.
The different attacking
methods are explained below in brief:
1. Memory Scraping – Memory
scraping is a popular and comparatively recent technique in the attacker tracks
and targets specific sensitive data.
2. Skimming – In skimming,
the attackers replace the POS device with vulnerable device which is then used
to capture consumers’ data.
3. Forced Offline
Authorization – Using this method, the attacker forces the cashier to locally
authenticate payment card information by creating a DOS for the local retail
network to go offline. Thus, the card details would be stored offline until the
network is brought back online thus giving an opportunity to attackers to steal
information.
4. Sniffing – This is a
significantly old method in which the attacker sniffs and analyzes the network
traffic for any sensitive card information.
5. Input Hooking – In this
technique, the information entered by the user is seized at the system or OS
level
POS Violation Stages:
Generally, a consistency
is observed in POS breaches. The stages are as mentioned below:
1. Infiltration – In this
stage, the attackers analyzes the target system and tries to find access. Once
he finds the access, he creates a stronger grip of the system.
2. Propagation – Next, the
attackers, spreads the malware in the target device.
3. Aggregation – Once the
malware attacks the system, it sends the desired information to another single
point within the environment for aggregation
4. Exfiltration – The
information might also be send to a point outside the environment and then
misused
Solution:
1. Strong passwords
Many consumers use default passwords for simplicity at the time of
installation. These default passwords are not changed later and hence prove to
be a very easy entry point for attackers. It is strongly recommended that users
change the default password to something complicated which cannot be easily
obtained by attackers.
2. Update Software
POS applications must be updated at a regular basis to protect them
from malware attacks. In the busy day-to-day operations, users often neglect
the activity of updating applications. Patch management must include the
activity of updating the software and must be conducted on a regular basis.
3. Install Anti-virus
Due to the additional costs of installing an anti-virus, many users
would avoid this part and use their POS systems without any anti-virus. Hence,
any virus or malware may work in their system undetected. To stay away from all
this trouble, anti-virus must be installed and updated on a periodic basis.
4. Use Firewall
POS systems must be protected from external attacks with the use of
firewalls.
5. Prohibit Remote Access
With the help of remote access, any user can enter the system
without being present physically. Attackers can easily exploit this remote
access configuration to POS systems. At all times, remote access to POS systems
must be prohibited.
6. Limit Use of Internet
Internet is filled with virus and malwares which can easily enter
any systems. Hence, to be on a safer side, internet use must be limited or
restricted.
No one can guarantee
that a POS system will never be attacked. All the above mentioned points are
best practices which make it difficult for the attacker to breach a POS system.
However, by following them and keeping one self updated on the issues, users
can tremendously reduce the changes of a breach.
About Author:
Kintu Racca is a consultant in Systems Plus Pvt. Ltd. Within Systems Plus, she actively contributes to the areas of Technology and Information Security. She can be contacted at kintu.r@spluspl.com