Point of Sale and Malware
Point of Sale has come under scrutiny in 2013 and 2014, particularly in the USA, where several large data breaches have taken place. These data breaches have involved theft of credit and/or debit card details. The cause of these breaches has been traced back to malware that has been installed on POS terminals. The characteristics of this malware are that it uses RAM scraping to harvest the card details. Depending on the malware, the card details can then be sent to cyber criminals to use.
One of the latest victims in the USA was caused by a POS vendor. The breach was caused when an attacker obtained the username and password used by the POS vendor for remote support – POS dealers generally have some type of remote support for their clients. Help Net Security have detailed the breach, as has Brian Krebs.
The structure of a POS system usually consists of terminals (also known as registers) and a back of office server that processes the card data. The terminals and the server usually run Windows as the operating system. The operating system is not an issue though: attackers are often skilled in several operating systems apart from Windows. The POS server has access to the internet to enable the transfer of card details. The card details are encrypted before transmission over the internet, as the internet is considered to be an insecure medium. The card details are typically not encrypted over the local network. This opens up an attack if a network sniffer is on the local network. A bigger issue is if the POS server has access to email and the web. Malware (if installed on the terminal) presents a threat to a POS system. Malware RAM scrapers (in particular) are effective because they extract card details before they are encrypted.
Europay, MasterCard and Visa (EMV) is a standard that uses encryption, but adoption of it has been slower in the USA than in Europe and Australia. EMV uses IC cards and PINs for authentication at POS terminals and ATMs. It has been touted as a way to stop credit card fraud, and it has proven to be effective in doing so when implemented. However it still has some vulnerabilities. A presentation by Lucas Zaichkowsky at Black Hat 2014 demonstrated a way of attacking an EMV POS system. The exploit takes advantage of EMV systems using a backwards compatibility mode. Backward compatibility is used for cards presented that originate from countries where EMV is not widely used yet.
There are simple and practical steps for small businesses to follow that lower the risk of malware infection. One step is to block off the POS server’s access to the internet for web and email. A second step is to enable egress filtering on connections. Another action is to exercise caution on remote login software. Remote support software that allows two factor authentication is preferred over Remote Desktop Software. A further action is to check that passwords are changed from the default values.
The use of email to install malware on a POS server is an area of attack that should not be overlooked. Phishing attacks designed to extract usernames and passwords are effective methods used by attackers to gain access. For this reason, utilising some method of email filtering should be considered as part of a defence in depth strategy. Whilst phishing is a basic type of attack, it has proven to be very successful.