July 31, 2015 By Kevin Beaver 3 min read

You may have heard an iconic line attributed to infamous bank robber Willie Sutton: When asked why he robbed banks, he responded by saying “because that’s where the money is.” Here we are in 2015, and the story is no different regarding the security of point-of-sale (POS) systems in retail environment. Criminals seek out these systems because they know that’s where they can gain access to a large number of records of customer data, specifically credit and debit card information.

How Do Cybercriminals Steal Customer Data?

Here are two common attack vectors and some details on what can be done to keep such systems mostly immune from attack:

1. Malware Infections

RAM-scraping malware that extracts magnetic stripe data directly out of the POS computer’s memory is the biggest concern facing retailers. This malware can be installed by an attacker who has gained access to the network via other means (such as compromised credentials, as in the case of the Target breach) or even social engineering. Given the open nature of retail environments and the high turnover rate of employees, there are other possible attack avenues, as well, such as the installation of malware directly onto the POS system via a thumb drive.

There are plenty of big-box retailers running highly vulnerable and unsupported Windows XP and Windows 2003 servers at this very moment. That’s not necessarily bad in and of itself, as long as there are compensating controls such as advanced malware protection and positive security white-listing systems that control what runs on the registers.

2. Exploiting Missing Patches

An attacker connecting the POS environment via an unsecured wireless network is a common attack. Once a foothold is gained, odds are that numerous patches are missing, offering flaws that can be exploited using a tool such as Metasploit. Again, retail systems often involve legacy programs or machines, which put them at risk. The last thing that any self-respecting system admin or retail software vendor will allow is the installation of service packs, hot fixes and related patches. With the risk of system outages due to risky software updates, there’s simply too much lose. Or is there?

Other Security Risks

It’s not uncommon for large amounts of cardholder data to end up in an unstructured fashion on mobile devices (e.g., in spreadsheet files, PDFs and the like), often unprotected in the event of loss or theft. I’ve heard plenty of stories about auditors, contractors and even software developers who have such data in their possession. All it takes is one car being broken into or one bag being lost at the airport to make a customer data breach reality.

The solution? Encrypt laptops, phones, tablets and any other mobile storage media. Given all the hands in the pie in large retail enterprises, encryption is likely not enough. A proven control that can really help lock down cardholder data is a data loss prevention (DLP) measure, which keeps the data from ever leaving its secure location to begin with.

If it’s not one of the above items exposing critical systems and sensitive information, odds are very good that it will be some other predictable security flaw such as a weak password or physical security vulnerability. There’s always a chance that other unrelated corporate systems and applications can be breached, leading to the exposure of cardholder data. Of course, there are third-party vendors with all of their network systems and applications that you have to consider, as well. As we saw in the Target breach, all it takes is one vendor that’s not all that security-savvy to lead to a world of hurt.

What Can Retailers Do to Protect Data?

There are additional security measures retailers can use to lock down their vulnerable POS environments. These include:

  • File integrity monitoring that checks for system changes;
  • Securing card readers and point-to-point encryption, which ensures that cardholder data is encrypted in transit;
  • Installing firewalls and intrusion prevention systems;
  • Limiting outbound Internet access for POS systems and disabling remote inbound access.

In the end, if people looking to commit such crimes against retailers really want in, they’re going to find a way. It’s up to retailers to make their systems as secure as possible. The thing that makes it so difficult is that the criminals have nothing but time; those working in IT and security for retailers don’t. But with periodic system upgrades, consistent security evaluations and open communication among involved parties, secure customer data can be closer than ever before.

More from Malware

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today