Point of sale systems at risk from underlying vulnerabilities
Last week we reported on the PoSeidon malware threatening credit card security by stealing transaction details.
Charles Henderson vice president of managed security testing at information security specialist Trustwave believes that there's a bigger underlying problem with the way retailers implement PoS systems putting them at risk.
Card transactions have always been the subject of attacks going right back to skimming details by stealing the carbons from old-style card machines. As technology has advanced they've progressed through physical mods made to electronic card readers to malware on back office systems, allowing attacks to become more virtual. While new technologies like chip and pin make it harder to create cloned cards but don't protect details at the point of sale.
Henderson warns that retailers are failing to take some basic precautions that would help protect them from attacks, for example, "One of the most popular makes of PoS terminal has a six-digit default password which has been the same since 1990 and was published on news groups back in 1994. Yet of the terminals we test 90 percent are still using that default password".
By failing to fully test their deployment retailers are leaving themselves open to attack. Yet as Henderson points out, "Averaged out of the number of PoS terminals deployed testing isn't a big investment as you only need to test one of each type". Modifications to systems can introduce vulnerabilities too and any changes need to be properly tested before deployment.
Rather than react to new pieces of malware like PoSeidon, businesses should look towards closing the loopholes that allow them to get onto their systems. "The industry hasn't learned from parallel technologies -- routers for example -- which are now mostly supplied already secured," says Henderson. Back office systems need to be kept secure too as employees can inadvertently introduce malware by actions such as playing games or opening infected email attachments.
In order to combat attacks he recommends a three pronged approach: network segmentation and security testing, user security awareness training, and anti-malware technology as a backstop.
More information on threat and vulnerability management is available on the Trustwave website.