The high price of point-of-sale attacks and 10 ways to fight back

By remotely stealing customer card data from point-of-sale (PoS) devices, thieves have all the information they need to clone credit or debit cards, which can then be sold on the black market or used to buy expensive merchandise for resale.

While the knowledge that smart, well-motivated cybercriminals have set their sights on your financial data is bad enough, worse is the news that modern PoS attacks, such as “PoSeidon”, are now moving away from targeting major companies in favour of small and medium-sized firms like restaurants, bars and hotels.

With the enormous potential for card fraud to erode profits, brand reputation and customer loyalty, it’s time for businesses to ask if their stores and customers are at risk and what can be done to defend them.

When a cashier swipes a customer card, the PoS system reads the magnetic stripe and forwards the account data to your bank for authorisation. For cybercriminals, the goal is to infect PoS devices with malware that can steal this lucrative data.

>See also: 5 years of cybercrime: where we’ve been and where we’re going

Any businesses that think their PoS devices are safe should think again. Cybercriminals are resourceful and inventive; they can compromise PoS devices even when they aren’t directly connected to the Internet, or are kept physically secure.

Some of the common methods to watch out for include remote compromise, in which the attacker connects to the PoS device through a remote access protocol or a backend system, and local access, where attackers attackers take advantage of PoS devices in public locations via exposed interfaces, such as network and USB ports.

It’s often said that your IT is only as secure as they people using it and this holds true for PoS attacks, so insiders with physical access to PoS devices can also easily load malware onto terminals.

Phishing campaigns are another once to watch for, as all it takes is one click in a malware-planted email for a PoS system to be attacked. And similar to phishing attacks is drive-by exploitation, which targets a workstation that has access to the PoS system, but instead of embedding the malware in an email, the victim is directed to a website hosting it.

Preventing the infection of PoS devices may be hard, but spotting an existing problem can be even more difficult. From surviving a reboot by copying itself to workstations, to using rootkits that leave almost no trace of its existence, PoS malware is extremely slippery. 

The recently discovered PoSeidon family can even update itself directly from remote servers. Meanwhile, most PoS malware also encrypts card data, so it can be exfiltrated to remote servers without being detected or blocked by security systems.

The bottom-line is that today’s increasingly sophisticated PoS attacks mean that just because you can’t see a problem, it doesn’t mean there isn’t one.

Fighting back

The good news is that while there are subtly different families of PoS malware, they all follow the same well-defined attack path – meaning most countermeasures and detection strategies will be effective against all of them. With that in mind, here are our top ten steps to defend your business:

1. Shield the systems

Wherever possible, isolate your PoS infrastructure from direct Internet access.

2. Secure hardware appliances from physical tempering 

For example, secure exposed USB ports on all PoS hardware reachable by customers.

3. Cover all devices

Run an up-to-date antivirus solution on all PoS systems, including mobile devices.

4. Never miss an update

Keep your entire software environment up-to-date.

5. Don’t overlook the settings

Reset PoS devices to the manufacturer’s default settings.

6. Tight passwords

Make sure all of your PoS accounts and backend systems have updated, secure passwords. 

7. Add network protection to detect and block any suspicious traffic entering or leaving PoS devices

Look for an unexpected host, an unexpected port, or an unexpected country like Russia or China.

8. Be alert to fixed-timeout CPU load spikes

PoS memory scraping causes high load processes and will trigger CPU spikes at regular intervals.

9. Regularly check your remote connection logs, firewall logs, or Windows security event logs 

It is vital to regularly check these for successful or unsuccessful logins from foreign IP addresses – especially during off-peak hours. If there’s no legitimate business reason for remote access from such IP addresses, consider the activity to be an attack.

10. Review all your running processes for potential malware

Look for slightly misspelled names running from a legitimate directory, as well as legitimate names running from a non-standard directory.

>See also: How retailers can combat the deadly point-of-sale malware threats 

As long as payment card data remains so lucrative, retailers shouldn’t expect any slowdown in the number of PoS data breaches. In fact, the number of cyber attacks involving malware designed to steal financial data has jumped by more than 25% in recent years.

As attacks become more sophisticated and increasingly target smaller retailers to hamper financial institutions trying to track down card fraud, the time to act is now.

Proactively enforcing industry best practices, getting the security basics right and remaining vigilant are by far the best ways to make sure a business doesn’t end up counting the cost of a PoS attack.


Sourced from Pete Shoard, chief architect, SecureData

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics

Retail Technology news