Posted Date: 7/30/2012

RetailNOW: The High Cost of POS Security Failures

Solution providers were given a wake up call about the perils of point-of-sale security breaches, on Monday, at RSPA's RetailNOW convention. Secret Services Agent Jason Berryhill, a POS fraud specialist, addressed the packed audience and dropped some very serious statistics.   

For example, Berryhill explained how one small business discovered that malware had been running on its POS system for six months, leading to $155,000 in fines assessed by credit card associations, the shuttering of one of its restaurants and the loss of eight full-time employees.

"In the past few months there have been three separate POS compromises involving 3500 individual locations," Berryhill said. "All three instances occurred because of bad passwords or remote access. Cost for fraud reimbursement and other damages was $240,000 per incident."

Potential vendor liability has spiked from $138 per record in 2005 to $214 per record in 2010.

According to Berryhill, merchants are the weakest links. Retail and food and beverage businesses accounted for 75 percent of the breaches in 2010.

"Software POS systems are the path of least resistance," Berryhill said. "POS attack methods are consistent across targets—they are cookie-cutter attacks performed in mass. Attackers scan IP address ranges for POS signatures—targets of opportunity—and there is no shortage of targets."

Berryhill cited the following as key methods of hacking a POS system:

• Easy access to system through remote access tools such as pcAnywhere on the back-of-house server for support
• Lack of firewall allows access to Windows RDP or terminal services
• Default vendor supplied credentials in use for OS and remote applications

While there is no way to completely bulletproof a POS from hacker attacks, Berryhill offered these suggestions on how VARs can help their clients secure their solutions.

• Disable unnecessary remote connections
• Maintain network systems logs
• Enforce strong two-factor authentication
• Immediately disable terminated accounts
• Keep patches and antivirus up to date
• Regular network penetration testing

Integrators can also educate retail customers on security services such as end-to-end encryption and the more popular tokenization. Beyond that, simply educating employees on the need for system-enforced password policies (routine password changes) can go a long way towards securing a POS.

The secret service has forged new relationships with private sector entities and scholars to increase the resources, skills and vision by which local, state, and federal law enforcement team with prosecutors to combat cyber crime.

To help, RSPA has formed CARDS [Coalition of Associations for Retail Data Security] to build a technology roadmap for resellers and vendors, build legislative outreach, and guide merchants to RSPA certified resellers to work with.

"Why the hell is the PCI council saying that 100 percent of PCI breaches are [the fault of solution providers]?" Joe Finizio said. "It's our responsibility to make sure that our clients are taken care of."

Click Here to learn more about CARDS