Ways cybercriminals target cards through POS terminals
The rising trend in data breaches continues to angle upwards, and as a result, there has never been a more precarious time in history to launch and maintain a successful business. In other to prevent the recurrence of mistakes that result in data breaches, we have to stay updated with current information regarding new techniques employed by cybercriminals to compromise credit and debit cards.
According to the latest IBM data breach report, the global average cost of a data breach is $3.26 million—up 6.4 percent from 2017. Data breach costs increased significantly year-over year from 2020 report to the 2021 report, increasing from $3.86 million in 2020 to $4.24 million in 2021, and the increase of 0.38 million ($380,000) represents a 9.8% increment. The average cost for each lost or stolen record containing sensitive and confidential information is $161, an increase from $146 per lost or stolen record in the 2020 report.
Of note are point-of-sale data breaches, which are a serious concern for businesses as they can lead to a lack of trust from consumers and a crippled system that could cost a fortune to fix.
A magnetic stripe card is a type of card capable of storing data by modifying the magnetism of tiny iron-based magnetic particles on a band of magnetic material on a card. The magnetic stripe cards are commonly used in credits cards, identity cards, and transportation tickets. The point of sale (POS) or point of purchase (POP) terminal on the other hand is a hardware system for processing card payments at retail locations.
Software to read magnetic stripes of credit and debit cards is embedded in the hardware. When a credit card is used to pay for something, a conventional point of sale (POS) terminal first reads the magnetic stripe to check for sufficient funds to transfer to the merchant, and then makes the transfer.
The sale transaction is recorded and a receipt is printed or sent to the buyer via email or text. Merchant can either buy or lease POS terminal, depending on how they prefer to manage cash flows. At the point of sale, the merchant calculates the amount, owed by the customer, indicates that amount, then prepare an invoice for the customer and indicate the option for the customer to make payment.
The point of sale is often referred to as the point of service because it is not just a point of sale but also a point of return to customer order. POS terminal software may also include features for additional functionality, such as inventory management, Customer relationship management (CRM), financials, or warehousing.
In recent update, more and more reports have surfaced about data breaches impacting millions of consumers. Many of these data breaches involve a business’s point of sale. The main objective of point of sale (POS) breaches is to steal your 16-digit credit card numbers.
Read: Again Ghana takes Nigeria’s lunch; to host multi-billion dollar Green Exchange
Sixty percent of Point of Sale (POS) transactions are performed via credit card, which means a big business for cybercriminals, and individual credit cards can be sold for up to 100 dollars apiece in the dark web. The industries most affected by POS data breaches are usually restaurants, retail stores, grocery stores and hotels.
As humans’ dealings with cash transactions is increasingly submerging, the adoption of POS services becomes very prevalent, and one of the most obvious compelling reasons is that POS system does away with the need for price tags. Selling prices are usually linked with the product code of item when adding stock, so the cashier only have a few job to do; to scan this code and process the sale of the product.
If there is a price change, this can also be easily done through the inventory window. Other advantages include the ability to implement various types of discounts, loyalty scheme for customers, and more efficient stock control, this functions are usually typical of almost all modern ePOS system.
As the advantages of the electronic transactions of POS continue to trend, cyber-criminal has also developed gateways to infiltrate this development.
According to a report published from bleep computers, December 2021 shows that Credit card info of 1.8 million people was stolen from sports gear sites.
A POS system exploits is similar to a vulnerable computer intrusion. Cyber criminals gain access to the system by installing a monitoring device called BlackPOS. BlackPOS is a spyware, created to steal credit and debit card information from the POS system.
The BlackPOS gets into the PC with stealth-based methods and steals information to send it to some external server. Small and medium-sized businesses are easy targets for cyber criminals because they are simpler for these criminals to access, and generally have more lax security and policies than a larger corporation.
The POS systems that these companies use to ring you up are basically computers that often run on Windows, and are as susceptible to the same threats that a regular Windows-based computer is vulnerable to. The credit card data is first stored on the machine, unencrypted for processing purposes. When malware finds its way onto the machine, it goes after the unencrypted stored payment information. The malware collects the data and then sends the information to a remote server.
With so many threats to POS systems, as well as the amount of new malware being created, the uproar of data protection becomes challenging. That’s why retailers and business owners must take special precautions when it comes to the use of credit and debit cards in the PoS system.
Now let us look at how attackers can gain access to escalate privileges and how we can protect against it.
Attackers could gain access to the devices to manipulate them in one of two ways. Either they’re able to physically gain access to the PoS terminal, or they’re able to remotely gain access via the internet and then execute arbitrary code, buffer overflows and other common techniques that can provide attackers with an escalation of privileges and the ability to control the device – and see and steal the data that goes through it.
Remote access is possible if an attacker gains access to the network via phishing or another attack and then moves freely around the network to the PoS terminal. Ultimately, the PoS machine is a computer and if it’s connected to the network and the internet, then attackers can attempt to gain access to and manipulate it like any other insecure machine.
In order to protect against attacks exploiting PoS vulnerabilities, it’s recommended that retailers using the devices ensure they’re patched and up to date, and they should avoid using default passwords where possible.
It’s also recommended that, if possible, PoS devices are on a different network to other devices, so if an attacker does gain access to the network via a Windows system, it’s not as simple for them to pivot to the PoS devices.
The PoS systems run on a modified version of Windows, meaning that the computer can be vulnerable to attack like other Windows devices. And while most Windows systems on a network should be receiving regular security patches to ensure they can’t fall victim to attack, it’s all too easy for the PoS terminal to be forgotten about.
A report by the Information Commissioner’s Office pointed to “systematic failures” in how the retailer safeguarded personal data and managed the security of its networks – including the failure to patch systems against known vulnerabilities.
(Verizon’s 2015 Data Breach Investigations Report reveals that POS-related incidents accounted for 28.5 percent of all breaches that happened in 2014).
Common mistakes that can be made by small business owners when it comes to protecting their customers’ user data include storing it in the same location where the encryption information is stored is a very common mistake. This makes it very easy for hackers to access all the data that they need with a single swipe. A simple solution to this would be keeping the encryption data separate from the user data.
Another mistake is using a corporate network for sending security and system updates to all POS devices. This is a common practice that puts a lot of businesses at risk. It is extremely easy for hackers to gain access to computers, networks, and POS systems when corporate networks are not protected by professional security set-ups. For small businesses, a good solution is opting for multifactor authentication systems and to never run the POS systems on the public Wi-Fi network.
Some of the best practices to secure your system and prevent a POS intrusion is to Install antivirus software to constantly scan for viruses or malicious files, use encryption In the incident where cyber thieves installed payment-stealing malware onto the retailer’s POS system, this tactic often disguises data as it’s shared across networks, which makes it extremely difficult to hack, monitor terminals with video surveillance to take surveillance above all POS terminals to prevent skimmers on your POS terminals, secure your network to prevent POS intrusions, secure all networks with a strong password and consider setting up a segmented connection for even more protection, implement a POS monitoring service to identifies cashier infractions as they happen by sending video clips and POS data based on the exceptions specified, like Cashier in and out, Drawer openings without a sale, etc. Physically secure your POS device to receive an immediate notification in the event of a break-in, Keep all POS software up to date, and teach employees how to spot suspicious activities.
Ibenu, a Researcher, an assistant professor of Computer Science/Security at Escae-Benin University of Science and Technology, writes from Lagos, Nigeria.