The War Against POS Hackers
By Julie Ritzer Ross
In September of 2012, two Romanians were convicted of a scheme wherein they siphoned off data from every credit card swipe and PIN data entry at more than 150 Subway sandwich shops. The scheme, which netted them approximately 146,000 credit cards and sparked losses exceeding $10 million, exemplifies not only an ongoing trend toward hacking and significant data theft. It also underscores the continued vulnerability of POS systems to compromise—vulnerability that merits address by VARs in their move to better serve and cultivate long-term relationships with SMB retailers.
Some cases of POS system compromise stem from seemingly simple mistakes and/or oversights. For example, some merchants neglect to assign passwords to users, instead leaving them blank. Others rely on vendor-supplied, shared and/or weak credentials, and many neglect to mandate frequent password changes. Robert J. McCullen, chairman, president and CEO of information and payment card security solutions provider Trustwave (www.trustwave.com), notes that in certain instances, SMBs are so focused on securing information elsewhere in the enterprise (such as in the cloud) that they forget password necessities—with disastrous results. Such focus also causes failure to obtain the necessary patches needed to keep POS systems up to date on the security front.
“Because people think that any password is better than no password, they feel secure;” they may not be aware that Google will quickly reveal the default password for which the device hackers may be seeking to compromise, adds Flower Mound, Tex.-based security specialist Branden Williams (www.brandenwilliams.com). “Even worse, some third parties use a shared password for their own access so that any of their technicians can use this basic password to get to any of their customers. If I figure out that password, I can then just look at their website to figure out who their other customers are and use that same password to compromise them.”
Another error is the practice of allowing easy access to POS systems via remote access tools or in fact, any Internet connection. “And if someone can jump around inside your network once they gain access this way, you can bet they will go after any system with a perceived value,” Williams asserts.
A lack of firewalls ranks high on the list of catalysts as well. Without such protection against unauthorized POS system ingress and egress, Windows RDP and terminal services can be compromised in no time, according to Jason Berryhill, a POS fraud specialist and agent with the U.S. Secret Service.
The root of other POS system compromises is a bit more complex. For instance, court documents indicate that the Romanian hackers who were convicted this past September first remotely scanned the Internet to identify U.S.-based vulnerable POS systems with certain remote desktop software applications (RDAs) installed on them. One perpetrator then used the RDAs to log onto the targeted POS systems over the Internet. The latter were typically password-protected, compelling him, where necessary, to attempt to crack the passwords to gain administrative access. Next, the perpetrator would remotely install keystroke logger or “sniffer” programs onto the POS systems. These programs would record, and then store, all of the data—including customers’ payment card data—through the affected merchants’ POS systems.
In a slightly different vein, there are the problems caused by malware, which enables real-time data theft of data from integrated POS systems. As one source notes, software engineers can neglect to add encryption controls to their operations, leaving memory exposed and rationalizing their actions by stating that hackers will not spend time attempting to hijack data from RAM while it resides there or that the data are difficult to grab at all. However, he says, hacking experts have devised several methods of capturing such data; the most prevalent is leveraging the malware to make the entire suite of integrated POS software run transparently inside a debugger.
Lack of network segmentation, too, opens doors to trouble. Unless networks are segmented, perpetrators can, for instance, compromise back-office PCs with malware, then maneuver their way to the POS network.
RX FOR TROUBLE
While no antidote against POS system compromise is entirely ironclad, channel players can and should do as much as possible to shore up defenses. Converting retailers to using two-factor authentication to access the system is a good idea. In a two-factor authentication scenario, two separate methods are employed to verify the authenticity of requests to access the POS system. Examples of this type of authentication include entering a user name and password (the first factor), followed by a touch on a biometric scanner or the entry of a specific code generated for an individual user session (the second factor).
Ideally, merchants should assign one unique password and user ID to every staff member, and implement mandates that passwords automatically expire and be changed regularly (every 45 to 90 days). Passwords should include a minimum of seven characters and incorporate four elements: upper- and lower-case letters, numbers and symbols.
“Firewall installation is a must as well,” Berryhill asserts, noting that some retailers erroneously believe that the router or modem provided by their Internet service provider is a firewall. A properly configured firewall, he says, should completely block access to the POS system from the Internet, while still allowing it to communicate with such legitimate entities as the merchant bank that handles payment processing.
Anti-virus and anti-malware applications are critical antidotes against compromise. According to Trustwave, every terminal and server should have these applications installed on it.
Additionally, ensuring that customers’ systems comply with Payment Card Industry Data Security Standards (PCI DSS) compliance comprises a major step toward the theft of consumer credit card data that is an objective of many hackers, but it is not enough. Industry experts say the most effective line of defense for staving off a breach is to reduce PCI scope. Tokenization, which eliminates the need for merchants to store cardholder data in their POS systems by replacing actual data with randomly assigned numbers (hence separating payment data from transaction data), ranks among key techniques for reducing scope and creating a barrier against hacking. Bruce Dragt, senior vice president, payment acceptance at First Data (www.firstdata.com) notes that a combination of software- or hardware-based encryption with tokenization an even better bet because of the extra layer of payment data security it provides.
A unified threat-management (UTM) system that includes a firewall, antivirus software, content filtering and spam filters to protect against intrusion attempts, viruses, phishing, data compromises and other threats often works well as a barrier to POS system compromise. As an added benefit, a UTM permits SMBs to comply with the PCI DSS that requires businesses of all sizes to segregate their point-of-sale systems from the rest of their network and limit access from their point-of-sale systems to the Internet.
One caveat to remember here: McCullen notes that non-compliant POS systems often retain restricted credit card data on the system hard drive. Upgrading clients to a PA-DSS compliant application ensures that restricted credit card data captured during future transactions will not be stored in the system. However, in many instances, data stored by legacy applications is overlooked when a new system is installed. Certain vendors claim that restricted data will be automatically removed during the upgrade process, but Trustwave recommends that system hard drives be replaced and old hard drives containing restricted data are securely wiped and destroyed.
VARs’ efforts to secure retailers’ POS systems should not stop here, however. Periodic testing to assess whether these systems remain air-tight, or as close to secure as possible, as well as to identify any new vulnerabilities, is also advisable. Trustwave recommends (and performs) several types of tests, including, but not limited to, application penetration, internal/external network penetration and code review.
Application penetration is an attack simulation exercise designed to assess the effectiveness (or lack of effectiveness) of an application’s security controls by highlighting risks posed by actual exploitable vulnerabilities. One option here entails an SQL injection, wherein malicious code is injected into the database in order to manipulate it and, as with hackers, gain illegal database access. Other application penetration testing methods include, among others, attempting to bypass the authentication process for accessing a system, manipulate a URL or modify an embedded cookie.
Meanwhile, in the most common internal testing scenario, an individual posing as a regular employee or contractor uses the same (or slightly lesser) system access levels as real employees in trying to acquire data to which they are not privy. External network penetration testing involves the use of a remote probe appliance to remotely perform a similar test. A code review involves detailed, close-up inspections of application source code. The vulnerability of the tools and commercial applications is evaluated.
As “trusted advisors” to SMB retailers, VARs should not only put into place measures and technologies for guarding POS systems against compromise, but also communicate to them, in the course of sales meetings, follow-up visits, e-mail blasts, and similar vehicles, the scope of each potential problem and how individual solutions and strategies (e.g., PCI DSS compliance, firewalls, two-factor authentication, etc.) contribute to the attainment of security goals.
Third-party education for merchants and resellers alike is now available from some third-party sources. For example, Trustwave has launched a Security Awareness Education Program that has been customized for various employee and organizational types, SMB merchants among them. Organizations can select from a range of courses, from mandate-specific compliance best practices to security best-practices, such as establishing strong, effective passwords and recognizing and avoiding common traps like spear phishing attacks and targeted malware. A purpose-built course for small merchants covers how to recognize common security threats, identify data breaches and train employees on steps to take should a breach occur.
To combat growing attacks on web applications, the company has introduced a full suite of secure code development courses designed for software developers; the curriculum introduces them to theory and best practices around planning, writing and testing secure code.
Moreover, resellers themselves would do well to impart upon clients concrete instructions for responding to data and other POS security breaches once they have occurred. On the technology side, experts advocate that affected systems be removed from the fold, with Internet access disabled immediately. Removing compromised systems from the network—for instance, by unplugging, but not turning off, network cables—should come next. However, clients must not otherwise tamper with the equipment, as doing so may later be construed as an attempt to conceal a lack of PCI compliance or the like.
Beyond the realm of the technology itself, counsel customers to keep all available logs, such as those pertaining to the firewall, IDS, web server, operating system and remote access. These may prove helpful in identifying the source and extent of the attack. A separate, detailed log of events, observations and actions taken after the compromise has occurred or is suspected to have occurred should be created; it should preferably be in the form of a timeline.
Admittedly, creative hackers will continue to devise new means of compromising retailers’ POS systems. Staying one step ahead of them via a combination of technology and education may not eradicate problems entirely, but it will go a long way in deterring thieves.