Security of Point of Sale (POS) Devices

Introduction:

Point of Sale (POS) systems are used to process transactions when a consumer makes a payment in exchange of goods or services from a retailer. POS systems consist of hardware and software. Hardware is used to make the actual payment by swiping a credit or debit card. The software is linked to the hardware and it informs on the action to be taken on the received data.

The hardware mainly consists of Magnetic Strip Reader (MSR) and Personal Identification Number (PIN) pads. Credit / debit cards can be inserted in the POS systems using either MSR or PIN pads. POS systems are available in different types depending on the needs of retailers. The three main types of POS systems available are for desktop, mobile and cloud.

Security Concerns:

POS systems have been the target of the cyber criminals since a long time. There are numerous ways in which the attack can take place. The attackers may transmit malware to steal card information or attach a physical device to collect card data. There are three different areas which must be protected; data in transit; data in memory and data at rest.

Data in transit is the data which is passed through the network connections between different systems which process the data. This data must be encrypted so that attackers are not able to misuse the card information.

Data in memory is the data which is entered into the POS system via some input device. If the attacker has access to the POS system, this data is nearly impossible to protect.

Data at rest is the card information stored in the system at any given point of time. The best way to protect this data is not to store it at all.

The different attacking methods are explained below in brief:

1. Memory Scraping – Memory scraping is a popular and comparatively recent technique in the attacker tracks and targets specific sensitive data.

2. Skimming – In skimming, the attackers replace the POS device with vulnerable device which is then used to capture consumers’ data.

3. Forced Offline Authorization – Using this method, the attacker forces the cashier to locally authenticate payment card information by creating a DOS for the local retail network to go offline. Thus, the card details would be stored offline until the network is brought back online thus giving an opportunity to attackers to steal information.

4. Sniffing – This is a significantly old method in which the attacker sniffs and analyzes the network traffic for any sensitive card information.

5. Input Hooking – In this technique, the information entered by the user is seized at the system or OS level

POS Violation Stages:

Generally, a consistency is observed in POS breaches. The stages are as mentioned below:

1. Infiltration – In this stage, the attackers analyzes the target system and tries to find access. Once he finds the access, he creates a stronger grip of the system.

2. Propagation – Next, the attackers, spreads the malware in the target device.

3. Aggregation – Once the malware attacks the system, it sends the desired information to another single point within the environment for aggregation

4. Exfiltration – The information might also be send to a point outside the environment and then misused

Solution:

1. Strong passwords

Many consumers use default passwords for simplicity at the time of installation. These default passwords are not changed later and hence prove to be a very easy entry point for attackers. It is strongly recommended that users change the default password to something complicated which cannot be easily obtained by attackers.

2. Update Software

POS applications must be updated at a regular basis to protect them from malware attacks. In the busy day-to-day operations, users often neglect the activity of updating applications. Patch management must include the activity of updating the software and must be conducted on a regular basis.

3. Install Anti-virus      

Due to the additional costs of installing an anti-virus, many users would avoid this part and use their POS systems without any anti-virus. Hence, any virus or malware may work in their system undetected. To stay away from all this trouble, anti-virus must be installed and updated on a periodic basis.

4. Use Firewall

POS systems must be protected from external attacks with the use of firewalls.

5. Prohibit Remote Access

With the help of remote access, any user can enter the system without being present physically. Attackers can easily exploit this remote access configuration to POS systems. At all times, remote access to POS systems must be prohibited.

6. Limit Use of Internet

Internet is filled with virus and malwares which can easily enter any systems. Hence, to be on a safer side, internet use must be limited or restricted.

No one can guarantee that a POS system will never be attacked. All the above mentioned points are best practices which make it difficult for the attacker to breach a POS system. However, by following them and keeping one self updated on the issues, users can tremendously reduce the changes of a breach.

About Author:

Kintu Racca is a consultant in Systems Plus Pvt. Ltd. Within Systems Plus, she actively contributes to the areas of Technology and Information Security. She can be contacted at kintu.r@spluspl.com