Bank robber Willie Sutton is famous for saying that he robbed banks, 'Because that’s where the money is.' Though a reporter probably invented that line, it stuck in the popular imagination as being a concise explanation of criminal motivations.
Today, however, most of our money is not in bank vaults, nor in physical form. It is simply an electronic record. However, the places where those electronic records are processed are still an attractive target for robbers, and none more so than the point of sale (POS) devices where credit cards transactions are recorded in stores, restaurants, and bars.
Hacking into a medical device or a moving car may get a security researcher headlines, but hacking into a POS network to steal credit card numbers will get a criminal hard cash.
Consumers may be happy to buy a new smartphone every year or two, but businesses expect POS devices to have a much longer lifespan. As any researcher will tell you, the longer a device is around, the more time they have to find and exploit hardware and software vulnerabilities.
There are still POS devices out there running the Windows XP operating system that is no longer supported by Microsoft.
It’s important for any Internet of Things (IoT) device to have a way for the manufacturer to upgrade the installed firmware or software on the device and to patch any security vulnerabilities that are discovered.
However, that upgrade mechanism can itself be a way to compromise the device, as we saw recently in both the Cisco and Jeep hacks. It should be a standard for all IoT devices that they only accept updates that are cryptographically signed by the manufacturer.
In the case of POS devices there are additional problems. Even if an upgrade path exists, the manufacturer cannot apply those fixes directly, but must reply on the retail organization that purchased them to download and install the fixes.
Furthermore, they cannot publish the fixes as soon as they have them. All processing of credit card transactions should satisfy the Payment Card Industry Data Security Standard (PCI DSS). Software should be validated as complying with this standard before publication.
The Hilton breach is the latest in a long line of POS hacks, and we can expect to see more in the future. There is no single solution to this problem but there are a number of steps that could be taken to help mitigate the problem:
Accelerate the roll out of credit cards with embedded chips in North America. This means that even if a credit card number was stolen, criminals could not use it to make a fake card.
> See also: Are you sitting on a Point of Sale timebomb?
Provide a fast track for PCI DSS validation of security fixes
POS manufactures should offer substantial bug bounties so that white hat researchers are motivated to find vulnerabilities before the criminals do.
All new POS devices should only accept software or firmware updates cryptographically signed by the manufacturer.
Manufacturers should have a way of sending automatic software updates to all new devices.
Sourced from Andrew Conway, research analyst, Cloudmark