You may have heard an iconic line attributed to infamous bank robber Willie Sutton: When asked why he robbed banks, he responded by saying “because that’s where the money is.” Here we are in 2015, and the story is no different regarding the security of point-of-sale (POS) systems in retail environment. Criminals seek out these systems because they know that’s where they can gain access to a large number of records of customer data, specifically credit and debit card information.
How Do Cybercriminals Steal Customer Data?
Here are two common attack vectors and some details on what can be done to keep such systems mostly immune from attack:
1. Malware Infections
RAM-scraping malware that extracts magnetic stripe data directly out of the POS computer’s memory is the biggest concern facing retailers. This malware can be installed by an attacker who has gained access to the network via other means (such as compromised credentials, as in the case of the Target breach) or even social engineering. Given the open nature of retail environments and the high turnover rate of employees, there are other possible attack avenues, as well, such as the installation of malware directly onto the POS system via a thumb drive.
There are plenty of big-box retailers running highly vulnerable and unsupported Windows XP and Windows 2003 servers at this very moment. That’s not necessarily bad in and of itself, as long as there are compensating controls such as advanced malware protection and positive security white-listing systems that control what runs on the registers.
2. Exploiting Missing Patches
An attacker connecting the POS environment via an unsecured wireless network is a common attack. Once a foothold is gained, odds are that numerous patches are missing, offering flaws that can be exploited using a tool such as Metasploit. Again, retail systems often involve legacy programs or machines, which put them at risk. The last thing that any self-respecting system admin or retail software vendor will allow is the installation of service packs, hot fixes and related patches. With the risk of system outages due to risky software updates, there’s simply too much lose. Or is there?
Other Security Risks
It’s not uncommon for large amounts of cardholder data to end up in an unstructured fashion on mobile devices (e.g., in spreadsheet files, PDFs and the like), often unprotected in the event of loss or theft. I’ve heard plenty of stories about auditors, contractors and even software developers who have such data in their possession. All it takes is one car being broken into or one bag being lost at the airport to make a customer data breach reality.
The solution? Encrypt laptops, phones, tablets and any other mobile storage media. Given all the hands in the pie in large retail enterprises, encryption is likely not enough. A proven control that can really help lock down cardholder data is a data loss prevention (DLP) measure, which keeps the data from ever leaving its secure location to begin with.
If it’s not one of the above items exposing critical systems and sensitive information, odds are very good that it will be some other predictable security flaw such as a weak password or physical security vulnerability. There’s always a chance that other unrelated corporate systems and applications can be breached, leading to the exposure of cardholder data. Of course, there are third-party vendors with all of their network systems and applications that you have to consider, as well. As we saw in the Target breach, all it takes is one vendor that’s not all that security-savvy to lead to a world of hurt.
What Can Retailers Do to Protect Data?
There are additional security measures retailers can use to lock down their vulnerable POS environments. These include:
- File integrity monitoring that checks for system changes;
- Securing card readers and point-to-point encryption, which ensures that cardholder data is encrypted in transit;
- Installing firewalls and intrusion prevention systems;
- Limiting outbound Internet access for POS systems and disabling remote inbound access.
In the end, if people looking to commit such crimes against retailers really want in, they’re going to find a way. It’s up to retailers to make their systems as secure as possible. The thing that makes it so difficult is that the criminals have nothing but time; those working in IT and security for retailers don’t. But with periodic system upgrades, consistent security evaluations and open communication among involved parties, secure customer data can be closer than ever before.
Independent Information Security Consultant