Point of Sale Security breaches: Who finds them, how, and when?

POS Security Testing

By: Declan O’Riordan, Head of Security Testing, TVS

Breaches usually involve the theft of one or more of the following types of data: bank, personal, payment, credentials, or other confidential information. Financially-motivated criminals seek out data that is easily converted to cash, such as bank information and payment cards, while espionage groups target internal corporate data and trade secrets. Both groups also target authentication credentials for user impersonation.

Ten years ago, less than 75% of breaches led to data compromise within a day. Last year the rate had risen to over 90% and the trend is upward, meaning attackers are continuing to get quicker at succeeding. Unfortunately, the time to discovery within a day is almost flat-lined at around 20% , meaning most attacks have plenty of time to exploit their success.

Nine attack patterns describe 95% of breaches over the last three years and 92% of all security incidents over the last ten years. Those classifications are: POS intrusions, web application attacks, insider misuse, physical theft/loss, miscellaneous errors, crime-ware, card skimmers, Denial of Service attacks and cyber-espionage. Then there’s everything else.

Looking at Point of Sale (POS) intrusions, there is a disturbing statistic for IT security stakeholders. In 99% of cases someone else told the business they had been hacked. The internal systems such as Intrusion Detection Systems (IDS) only discovered 1% of all POS intrusions. Typically the intrusion is undertaken by attackers scanning the internet for open remote-access ports and if the scan identifies a POS device it then uses brute force to access the device and install memory (RAM) scraping malware. The hub-and-spoke retail architecture facilitates traversal of the malicious code to all POS devices to magnify the effect. RAM scrapers grab payment card data while the transaction is being processed in memory (where it is unencrypted) then exfiltrate (export) the payment details to the criminals via proxy IP addresses.

Having obtained the bank and card details of customers who have been compromised, the hackers sell them on through the now-specialised criminal supply chain and the foot soldiers start using the details to obtain goods and cash. Sooner or later the law enforcement agencies pick up some criminals obtaining goods by deception and report the crimes. Eventually a pattern is noticed and the hack discovered. In 75% of POS intrusions the notification came from law enforcement, 14% from external parties’ fraud detection systems, and in 11% of cases from customers themselves. In 85% of cases the intrusion takes weeks to discover, in 13% months, and in 1% years.

In my opinion this is an appalling state of affairs and highlights the misdirected spending on network defences when more should be invested in application defences. If application sensors were added to applications, they would notify administrators when malicious activity is detected. But what if no one at HQ cares about alerts, as happened at Target (the US retailer) in December 2013? There are still many layers of defence that could, and should, be applied:

  • Applications should be self-defending and reject malicious input.
  • Interconnectivity between stores and central locations should be treated as only semi-trusted sources.
  • Well-designed and securely coded multi-factor authentication, plus strong password implementations would significantly reduce intrusions.
  • Make it difficult for attackers to log into POS devices by means of secure authentication, access controls and session management.
  • Minimise the data brought into process memory and remove it as soon as possible.
  • Limit remote access to domains by third-party vendors (the entry point of the Target attack was a spear-phishing email to a member of staff at the air-conditioning and heating services contractor).
  • Restrict POS systems to POS-related activity only, not web-surfing or email!

TVS has already described how to start building and testing secure applications – download the free white papers now.

Or would you prefer a policeman to call?

2015-01-06T11:05:05+00:00 2nd December, 2014|Security, Thought Leadership|
T&VS NEWSLETTER SIGN-UP
The T&VS newsletters inform you about industry news, events and information from T&VS. No spam, we promise and it is always easy to unsubscribe.
We never share your information. Read our Privacy Statement
Interested in Formal Verification?
Then why not attend the TVS Formal
Verification Bootcamp training?
The 2-day Formal Verification Bootcamp is for design and verification engineers looking to enhance their knowledge of formal verification and to learn how to write effective assertions to find and fix bugs. The course is a mix of presentations and hands-on development exercises.
Bootcamp Enquiry Form
If you are interested in receiving additional information on the course then simply email Mike Bartley (TVS CEO and Course Leader) by entering your details below.
Interested in SystemC?
FREE SystemC UVM Library Now Available
The TVS SystemC UVM library closely mimics UVM but gives users a license free UVM-based verification environment.
Have your product requirements been successfully tested and implemented?
Find out how asureSIGN can help you implement a successful Requirements Driven Verification and Test Strategy by visiting asureSIGN or enter your details and we will be in touch.
Course Dates and Pricing
To receive additional information, including course dates and pricing, please contact our training team who will be happy to help.
Download Request
Please complete the following form then click 'submit' to access the download.
Presentation Request
Please complete the following form then click 'submit' to gain access to the presentations.
DOWNLOAD REQUEST
Please complete the following form and then click 'submit' to gain access to the download.
FREE QA ASSESSMENTS
Did you get what you were looking?

Let the testing experts help. We will run a FREE QA assessment which will include our top 5 recommendations to help maximise your testing.