How hackers attack POS systems, and how to better protect them
In a previous post on Access Granted, I took a detailed look at the POS systems in place across most retail, hospitality and restaurant operations today. I also discussed – in detail – the system in which credit card transactions are processed, and the places in which that system is vulnerable to attack.
I’d now like to take a closer look at how these bad actors hack and inject malware into these POS systems to exploit those vulnerabilities so that we can identify ways to secure them.
Hacking POS Systems
Regardless of the type of malware, a typical POS attack methodology is as follows:
- The perpetrators first scan the internet for pcAnywhere, VNC, and RDP ports. These are common tools that are used by administrators to remotely access their offices and work environments, leaving them vulnerable. Once the perpetrators find these tools active with vulnerable versions, they have a valid target.
- Perpetrators then exploit the vulnerable versions through various methods, including brute force password guessing.
- Once they succeed in identifying the login credentials, they have instant admin access to the entire POS environment. Once in, they drop keystroke recorders, network sniffers, memory scrapers and malware capable of acquiring credit card data.
- The malware then finds and extracts the card data and sends the stolen data – undetected – to the perpetrator’s servers by obfuscating it and utilizing throttled transfer rates over a period of time.
With the points of vulnerability identified and the process for hacking POS systems established, let’s look at some ways to eliminate these vulnerabilities and provide peace of mind for consumers.
The Possible Solution
The vulnerabilities in the payment system and the methods of hacking POS systems aren’t secret, and they’re certainly not new. These have been around for as long as today’s advanced POS systems have been in use.
That being said, POS system manufacturers, merchants and other stakeholders have worked to eliminate vulnerabilities and make the process more secure over the years. Unfortunately, the changes that have happened in the payment industry have been to strengthen the individual components – and the connection points between components – of the payment flow.
The improvements haven’t been holistic changes to the systems or process that could eliminate vulnerabilities altogether. Despite all the strengthening and tightening of the controls, the basic flow has not evolved, and the weakest point in the entire payment process is still the consumer-to-merchant link.
To eliminate vulnerabilities in the consumer-to-merchant link, we need to establish an out-of-band approach for authorizing and authenticating purchases. If a token, passcode or other form of authentication was required to be submitted via a different device than the POS system, there’s no way that it could be detected and stolen via the malware on the infected system. This creates another layer of security that essentially eliminates the possibility that all necessary factors for a transaction to proceed can be stolen by hacking a single device.
Then there’s the authentication on pcAnywhere, VNC, and RDP ports. Utilizing a single factor for authentication leaves them vulnerable to attack and exploitation through simple password guessing. By implementing multi-factor authentication that is also out-of-band, merchants can better secure these vulnerabilities in their networks and make it harder for bad actors to inject malware in the first place.
The steps taken to strengthen the payment process have been well-intentioned, but ultimately ineffective. The news is still filled with almost daily reports of new high-profile retail breaches. To eliminate this issue altogether, a more effective, comprehensive solution needs to be identified, and the existing payment process needs to be reevaluated. It is time to think of an out of band approach to start addressing the security in a payment network and help eliminate the fraud we continue to see despite the so-called “security improvements” in the payment industry.
Authomate’s StrongPass solution delivers authentication that is completely out-of-band, strong and easy to use. For additional information about Authomate’s authentication solutions, go to www.authomate.com. To try out StrongPass, click HERE.