Cybercriminals are increasingly targeting insecure point-of-sale systems, a common weakness in the defences of retail IT security and the hospitality industry. But one expert says new industry standards such as PCI PTS should help mitigate the problem.
We are hammering home the message that you must not use default passwords.
European directorPayment Card Industry Security Standards Council
The rise in point-of-sale attacks is highlighted in the Trustwave Global Security Report 2011 from Trustwave Holdings Inc. The report details the findings of more than 250 security breach investigations and 2,500 penetration tests that it carried out through its SpiderLabs professional services arm.
John Yeo, director at SpiderLabs EMEA, said: "Most retailers do not have local IT support staff in their shops and so they rely on having remote access to maintain and update their point-of-sale systems."
In the cases that Chicago-based Trustwave has investigated, he said, some of the systems still had their vendor-provided default password, or some other simple password that was easy to crack. "They rely on single-factor authentication, and are often managed by third-party companies for whom security is not a top priority."
As the Trustwave report explains, third-party management companies are rarely responsible for security of the system in its entirety, but only a subset of controls. Businesses are often not aware of this gap between a third party's responsibilities and its own responsibilities, and for that reason, they fail to monitor important threat vectors .
"Taking advantage of this large gap," the report reads, "criminals can easily access and exfiltrate thousands of customer records without the business owner realising a breach and/or theft has occurred.".
According to Yeo, weak authentication often allows hackers to target retailers and infiltrate their corporate networks. They can then harvest payment card details and retrieve them at a later date. "In the cases we have worked on, 75% of the targeted assets have been point-of-sale systems," he said.
Jeremy King, European director for the Payment Card Industry's Security Standards Council (PCI SSC), acknowledged that there has been a problem with some POS systems in the past.
"This is one of the things our new PTS standard is looking to address," he said.
The PIN Transaction Security (PTS) requirements form part of the SSC's programme to raise standards of card data handling, focusing on the security of point-of-sale terminals and the standard implementation of data encryption.
"The open protocol will ensure you are not using default passwords. We have occasionally seen vendors who should know better buying in a communications package and not putting it through their security process. With the new PTS [requirements] we can protect against that. We are hammering home the message that you must not use default passwords."
But Trustwave's Yeo warned that it will take a while before the new PTS standards are widely deployed. "PTS will make a difference eventually, but there is a lot of legacy kit out there and it's not going to be replaced overnight," he said. "It's not going to change the industry today, or even next year."
Further illustrating the seriousness of insecure point-of-sale systems, in 16% of the Trustwave report's cases attackers were able to propagate to other retail branches through site-to-site internal network connections, such as MPLS. In some cases, networks allowed shared connectivity between locations, which made it easy for the criminals to spread their nets. As the report concludes: "A few hours of additional analysis and planning to develop simple network access rules could have prevented this type of propagation."
Trustwave's report suggests that a single organised crime gang was responsible for 36% of all the data breaches it investigated. Although some company-sensitive data and trade secrets were the target of a few attacks, payment card data remained the most popular prize for criminals, targeted in 85% of all attacks.
Yeo said traditional antivirus products were poor at detecting this new breed of targeted attack, mainly because much of the code is customised for the particular victim. "Hackers test out their code against AV programs precisely to ensure they can evade detection," he said.
Behavioural detection techniques, which are being added by AV vendors to increase their products' effectiveness, are also limited, according to Yeo. "The criminal's software does not arouse suspicion. It just sits there. It may dump the content of memory or sniff network traffic, but these are all tools the network administrator might use, too, so it's not seen as suspicious. They are all legitimate functions."