Verizon data breach report highlights continuing POS vulnerabilities

Improperly secured point-of-sale systems continue to offer an easy target to cybercriminals according to the 2012 data breach report from Verizon.

Poorly protected point-of-sale (POS) systems continue to provide cybercriminals with an easy means of stealing information.

Many times, the criminals’ 
first actual involvement is opening the exported data on that remote server to see what they’ve captured.

Wade Baker,

According to the 2012 Verizon Data Breach Investigations Report (DBIR) (.pdf) released today, badly configured POS systems are a major soft target for automated attacks launched by criminals over the Internet.

The report stated, “Organized criminal groups targeting payment card information from Internet-facing POS systems or physically exposed ATMs and gas pumps can launch a sting against hundreds of victims during the same operation.”

The Verizon DBIR 2012 analysis was based on 855 breaches and 174 million stolen records. These included cases handled by the Verizon RISK team and other cases contributed by the US Secret Service, the Australian Federal Police, the Dutch National High Tech Crime Unit, the Irish Reporting and Information Security Service, and the UK’s Police Central e-Crime Unit.

The report noted organised crime gangs are beginning to launch POS attacks at smaller organisations that tend to be less defended than large companies, and unguarded POS systems present an easy target.

“For several years this [POS] has been top of the list for compromised assets. This is a favoured method of the organised criminal groups,” said Wade Baker, director of risk intelligence at Verizon.

Although many organisations recognise they have a problem with POS vulnerabilities, he said, they find it hard to manage. “Companies know what they need to do, but it’s hard when you have thousands of systems, often managed by different departments, and in different regions of the world.”

Automated attacks are possible because many POS systems are left with their default credentials after installation, he said. The systems are also often connected to the Internet so third-party support companies can maintain them remotely, which then leaves them open to automated scanning attacks.

“The whole attack can be automated from start to finish,” Baker said. “We’ve seen attacks that just scan the Internet until they find an open port to a POS system. They try the various default usernames and passwords, and then get a program to start installing malware that captures commercial transaction data, and exports that captured data to a remote server. Many times, the criminals’ first actual involvement is opening the exported data on that remote server to see what they’ve captured.”

The report detailed one such case in the US where a gang based in Eastern Europe was able to steal details of at least 112,000 payment cards from outlets in a retail chain that all had the same payment terminal systems, all with similar login credentials.

More on Verizon 2012 data breach report

DBIR recommends log analysis and password management

Hacktivists make impact on 2012 data breach statistics

More countries contributed to the 2012 data breach investigations report

Amir Azam, a consultant with London-based security consultancy Procheckup, said the problem of poorly configured POS systems is widespread. Companies installing POS systems tend to leave it to the client to set usernames and POS passwords, while the customers themselves are generally just happy to have the systems up and running.

In large companies with multiple stores, he said, POS systems often use the same login credentials. This means once criminals have penetrated one store, they can easily access the rest. In smaller retailers, Azam added, companies often use their POS systems for other applications, such as sending emails or surfing the Internet, which breaches the PCI DSS standard.

“They know they shouldn’t do it, but they have few resources, and so the POS often doubles up as their personal computer as well,” Azam said.

Read more on Application security and coding requirements