A detailed look at POS system security and where they’re vulnerable
Point of sale (POS) technology has been around for many years starting with the cash register in late 1800s and early 1900s. With the advent of better computing capabilities, Internet and connected systems, POS systems were modernized in the 1970s and 1980s to leverage advancing technology. Even those systems would be unrecognizable today, as a new generation of connected POS systems can be found everywhere – from large retailers to farmer’s market stands.
Unfortunately, these new, connected POS systems suffer from the same security vulnerabilities that impact other connected devices. In fact, many retail organizations have been victims of security breaches that target consumer payment card data and were orchestrated against the POS system. One of the most recent examples being the PoSeidon malware attacks, which utilized malicious software to secure credit card data from POS systems. Additional information about those attacks can be found HERE.
With these new POS system vulnerabilities and breaches occurring, many companies are looking for better solutions and improved defenses. But to understand how these solutions can help secure POS systems, we must first look at how these POS systems and transactions work, so we can identify vulnerabilities in the process.
How Point of Sales Transactions Work
Here is how a typical credit or debit card transaction through a POS system works:
A consumer with a credit or debit card uses it to make a purchase via a POS system at a retailer, hotel, restaurant or other merchant. The POS system sends the swiped card data to the merchant’s bank (acquiring bank) that then sends the data to the payment brand (ie: VISA, MasterCard, etc) who in turn send this to the card holder’s bank (or issuer).
Upon receipt, the issuer checks the card details to verify the validity of the card and – if all is well – sends an authorization code to the payment brand. The payment brand forwards the authorization code to the acquirer, which in turn forwards it to the merchant. Once the merchant gets the authorization code, it approves and completes the sale. Cardholders then get a bill from the issuer – which they begrudgingly need to pay – thus completing the end-to-end cycle.
This is a very involved process that involves credit card information passing hands multiple times. Each time this sensitive information passes hands, there is a chance for a bad actor to intercept it and gain payment card information.
Now that we understand the process, we can take a closer look at each of these individual vulnerabilities.
Point of Sales Vulnerabilities
As we discussed, there are many connections in this payment process. Some of which are more vulnerable than others.
The internal networks of banks and the payment brands are very well protected. This makes them harder to infiltrate and, subsequently, less favorable targets for bad actors. However, there are more vulnerable parts of the process, including anytime the consumer interacts with the bank, the customer interacts with the merchant, or the merchant interacts with the bank. The internal merchant network is also vulnerable to attack.
When this process was first established, the most targeted component was the consumer. Bad actors would steal credit cards and bank statements from a user’s mail to get access to consumer card details and create duplicate cards. The card holders were also vulnerable to malicious retail employees swiping their cards into card skimmers to grab credit card data.
Merchant systems have progressed and evolved significantly since those early days, when each individual POS terminal was directly connected to the acquirer through dialup. Today, a typical POS setup in a merchant looks much different. These more complex merchant payment systems include individual terminals that connect to a complex, on-premises network and have a consolidated connection to the acquirer networks.
The increased sophistication of these new systems has resulted in more sophisticated POS hacking and attacks.
Each POS terminal has a POS terminal with card scanner, some internal memory for temporary storage, long term disk storage, and a payment client app which communicates with the payment server at the acquirer. Many of these parts can be compromised.
When you consider vulnerabilities in POS systems, there are three key areas of importance: data in memory, data in transit, and data at rest. Card data exists in all three of these states as is makes it way through the payment system, creating the following vulnerabilities:
- If the POS terminal has a tampered card scanner, it could skim the card data and send it to a malicious device that can gather this data and send to the perpetrators. This is one point of vulnerability.
- If the terminal’s card scanner is clean, there are still risks. When a card is scanned at the POS terminal, the card data is kept in temporary memory. This is another point of vulnerability.
- The card data is then transmitted from the POS terminal to the in-store payment client. This is another point of vulnerability.
- Finally, when card data is stored in local servers in the merchant data stores, it is data at rest. If that data is not protected properly, it is another point of vulnerability.
Traditionally the data is in the clear until it is encrypted and sent to the acquirer. This allows bad actors to create malware, which – once installed at the right places – can use memory scraping to acquire the data.
Now that we’ve identified where the vulnerabilities lie in a POS system and terminal, we can take a deeper look at how bad actors inject malware into these POS systems to exploit these vulnerabilities, and how we can take steps to better secure them. In my next post on Access Granted, I’ll detail the process bad actors take to install malware into POS systems, and discuss ways to better protect consumers.