July 31, 2015 By Kevin Beaver 3 min read

You may have heard an iconic line attributed to infamous bank robber Willie Sutton: When asked why he robbed banks, he responded by saying “because that’s where the money is.” Here we are in 2015, and the story is no different regarding the security of point-of-sale (POS) systems in retail environment. Criminals seek out these systems because they know that’s where they can gain access to a large number of records of customer data, specifically credit and debit card information.

How Do Cybercriminals Steal Customer Data?

Here are two common attack vectors and some details on what can be done to keep such systems mostly immune from attack:

1. Malware Infections

RAM-scraping malware that extracts magnetic stripe data directly out of the POS computer’s memory is the biggest concern facing retailers. This malware can be installed by an attacker who has gained access to the network via other means (such as compromised credentials, as in the case of the Target breach) or even social engineering. Given the open nature of retail environments and the high turnover rate of employees, there are other possible attack avenues, as well, such as the installation of malware directly onto the POS system via a thumb drive.

There are plenty of big-box retailers running highly vulnerable and unsupported Windows XP and Windows 2003 servers at this very moment. That’s not necessarily bad in and of itself, as long as there are compensating controls such as advanced malware protection and positive security white-listing systems that control what runs on the registers.

2. Exploiting Missing Patches

An attacker connecting the POS environment via an unsecured wireless network is a common attack. Once a foothold is gained, odds are that numerous patches are missing, offering flaws that can be exploited using a tool such as Metasploit. Again, retail systems often involve legacy programs or machines, which put them at risk. The last thing that any self-respecting system admin or retail software vendor will allow is the installation of service packs, hot fixes and related patches. With the risk of system outages due to risky software updates, there’s simply too much lose. Or is there?

Other Security Risks

It’s not uncommon for large amounts of cardholder data to end up in an unstructured fashion on mobile devices (e.g., in spreadsheet files, PDFs and the like), often unprotected in the event of loss or theft. I’ve heard plenty of stories about auditors, contractors and even software developers who have such data in their possession. All it takes is one car being broken into or one bag being lost at the airport to make a customer data breach reality.

The solution? Encrypt laptops, phones, tablets and any other mobile storage media. Given all the hands in the pie in large retail enterprises, encryption is likely not enough. A proven control that can really help lock down cardholder data is a data loss prevention (DLP) measure, which keeps the data from ever leaving its secure location to begin with.

If it’s not one of the above items exposing critical systems and sensitive information, odds are very good that it will be some other predictable security flaw such as a weak password or physical security vulnerability. There’s always a chance that other unrelated corporate systems and applications can be breached, leading to the exposure of cardholder data. Of course, there are third-party vendors with all of their network systems and applications that you have to consider, as well. As we saw in the Target breach, all it takes is one vendor that’s not all that security-savvy to lead to a world of hurt.

What Can Retailers Do to Protect Data?

There are additional security measures retailers can use to lock down their vulnerable POS environments. These include:

  • File integrity monitoring that checks for system changes;
  • Securing card readers and point-to-point encryption, which ensures that cardholder data is encrypted in transit;
  • Installing firewalls and intrusion prevention systems;
  • Limiting outbound Internet access for POS systems and disabling remote inbound access.

In the end, if people looking to commit such crimes against retailers really want in, they’re going to find a way. It’s up to retailers to make their systems as secure as possible. The thing that makes it so difficult is that the criminals have nothing but time; those working in IT and security for retailers don’t. But with periodic system upgrades, consistent security evaluations and open communication among involved parties, secure customer data can be closer than ever before.

More from Malware

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today