Targeting Point of Sale (POS) devices has become one of the more preferred approaches for attackers over the years as they seek to exploit any known vulnerability. The latest POS attack to make the headlines was of course the data breach suffered by major American retailers Forever 21 after malware was being routed through POS devices, enabling hackers to extract vital information such as customer payment card data. In fact, there was a 21% increase in the number of ATM compromises and POS devices during the first six months of 2017.
Retailers need to be aware of the security risks associated with unprotected POS devices as, once exploited, hackers have been able to influence changes in prices as well as allow access to sensitive banking information, leading to data breaches and identity fraud. The issue lies within detecting POS malware, which has become a major concern and with POS systems being relatively easy targets, more needs to be done to eradicate the security issues surrounding these devices.
How vital is identity management?
If a POS device is being used, it is imperative that proper identity management (IdM) is enabled and installed. Without IdM, the POS device will be left exposed. Presently, when authentication is initiated, the user is assumed to be the appropriate person. With most POS systems, the initial authentication comes for Active Directory (AD). In this framework, once the user is authenticated via Active Directory, there’s nothing to prevent the privileged user from accessing systems which reference AD for authentication.
Another alternative is two-factor authentication (2FA), which adds an additional layer of protection to prevent inappropriate access. This comes in the form of a challenge question, biometrics, or a simple code that is keyed by the user when authenticating into the application. However, for the sake of authentication legitimacy, many retailers will use an Identity Provider (IDP) to broker the authentication transaction between AD and the downstream application. Most IDPs have 2FA capabilities, which retailers will use to help strong authentication measures.
So why is it so easy?
The simple answer: the internet. With most of these systems connected to the network via the Internet, which is a necessity, it exposes them. POS terminals need internet connectivity to fulfill transactions between entities (consumer, bank, intermediary, etc). So, when the system sits in a network with Internet connectivity, all it takes is an attacker to get into that framework.
Information is the currency in which networks trade. When information can be shared within a network, equipment is not necessary – thus, the reason remote exploitation can be so effective.
The defence and response of the retailer
Firstly, keeping all POS systems up-to-date with any software patches and updates that can curtail any adversary ambition is strongly advised and should be conducted on a regular basis. Secondly, retailers can use strong authentication to prevent compromised credentials from being exploited.
Strong authentication could be a passcode, a biometric or even a challenge question – what is your mother’s maiden name is a popular choice. With these in place, retailers are continuously adding extra layers for users trying to access the POS devices. Uncovering a malicious insider is a separate matter. The insider can use their access to change the prices and discounts within the POS system directly. This, however, is much easier to detect, because changes are logged and tracked.
All of these challenges should awaken retailers to the need for better, faster log analysis. This will help determine the validity of preventative measures. Without the active practice of log analysis, retailers will continue to miss potential threats.
If the sheer worry of exposing customer personal information and card data isn’t bad enough, with the advent of the EU’s General Data Protection Regulation coming into force on the 25th of May this year ought to make retailers take note. Under the regulation, any retailers that collect personal data on EU citizens will be subject to stringent new rules and if systems are found to be lacking in security measures, they could face fines between 10-20 million Euros or 2-4% of their revenue, whichever is greater.
POS devices come with risks and until manufacturers address these security issues, thus retailers must become more cyber-aware. The number of fraudulent attacks are on the rise, so it is time for retailers to stay one, two or even three steps ahead of the hacker.