We recently published a briefing on the subject of securing ATM networks that includes a lot of information that will be valuable to banks, payment card companies, retailers, and any other organizations whose business involves ATMs. You can check out that document here.
As a companion piece to the ATM security briefing, we wanted to share some complementary information, this time focusing specifically on security concerns related to Point-of-Sale (POS) terminals. POS terminals are even more ubiquitous than ATMs, and are especially appealing to attackers for a number of reasons. Many of their security issues are shared with ATMs, but POS terminals also have some unique vulnerabilities.
Thieves target POS terminals in order to steal the personal information held in customers’ payment cards, which they then use for a quick profit or to commit identity theft. POS is a vulnerable point of attack because in most systems, payment card data is briefly unencrypted as it is transmitted. POS malware can exploit this point in the process with a technique called ‘RAM scraping’, which steals the data directly from the terminal’s memory. Like ATMs, POS terminals often run Microsoft Windows, which many malware variants are designed to attack. In all, there are more than 10 families of POS malware, each with its own variants, and more are discovered each year.
Transmission networks are also vulnerable to malware, as are servers that manage POS terminals. Attacks on the latter exploit Wi-Fi networks in order to infect multiple POS terminals at once—sometimes compromising an organization’s entire POS network. Server-level attacks often rely on social engineering to gain a foothold in the company’s systems, gathering information and building access to be used in the attack.
In our piece on ATM security, we described how thieves used ‘skimmers’ in ATM card reader slots to steal data. POS terminals are also a popular target for this type of attack. POS terminals are the vulnerable endpoints of a company’s security infrastructure, often guarded solely by the divided attention of a cashier or sales associate. Because POS terminals are so exposed, it is relatively simple for thieves to distract employees and gain physical access for a few moments.
In some cases, the entire card reader will be swapped for a device that stores the data from every card that is swiped through it. This method depends on the thieves being able to return and remove the device in order to exfiltrate the data.
Another method, which has recently been seen in a wave of attacks against self-checkout terminals, is to place an ‘overlay’ skimmer on top of a card reader and pin pad. These devices look nearly identical to the genuine terminal, and use electronic components such as Bluetooth capability on the inside of the skimmer to transmit card data and PINs to a nearby device.
In 2014, Target was the source of the largest data breach in American retail history, with 40 million payment card numbers stolen, and 70 million people’s personal information compromised. While malware was the ultimate tool used to steal the data, the breach required multiple lines of attack, making it a valuable case study for the many ways POS systems can be targeted.
After presumably researching publically available information about Target’s security infrastructure, POS system information, and supplier portal, the attackers targeted a third-party vendor. The vendor, a refrigeration contractor, was compromised via a phishing email, which the attackers used to steal login credentials for Target’s vendor portal. The exact nature of the next steps is unknown, but the attackers somehow leveraged this access in order to take control of Target’s servers.
The attackers then used malware to infect Target’s POS network, using a complex RAM-scraping technique in order to steal payment card information. The malware was so sophisticated that it could steal data from POS terminals that didn’t even have internet access by sending data via TCP ports to dump servers inside the network.
This elaborate attack illustrates the lengths attackers will go to get their hands on lucrative payment card information, and the daunting task of securing every possible avenue for attacks against POS systems.
The ubiquity of POS terminals makes them very difficult to protect. As high-value targets that are vulnerable to myriad types of attacks, they will continue to be a constant target for hackers and thieves. D3 is the only full-lifecycle incident management platform that gives you the tools you need to centralize, streamline, and standardize your incident response to both cyber and physical threats. Read our eBook on ATM security to learn more about how to secure the vulnerable endpoints of your infrastructure.