POS Security Testing

By: Declan O’Riordan, Head of Security Testing, TVS

Breaches usually involve the theft of one or more of the following types of data: bank, personal, payment, credentials, or other confidential information. Financially-motivated criminals seek out data that is easily converted to cash, such as bank information and payment cards, while espionage groups target internal corporate data and trade secrets. Both groups also target authentication credentials for user impersonation.

Ten years ago, less than 75% of breaches led to data compromise within a day. Last year the rate had risen to over 90% and the trend is upward, meaning attackers are continuing to get quicker at succeeding. Unfortunately, the time to discovery within a day is almost flat-lined at around 20% , meaning most attacks have plenty of time to exploit their success.

Nine attack patterns describe 95% of breaches over the last three years and 92% of all security incidents over the last ten years. Those classifications are: POS intrusions, web application attacks, insider misuse, physical theft/loss, miscellaneous errors, crime-ware, card skimmers, Denial of Service attacks and cyber-espionage. Then there’s everything else.

Looking at Point of Sale (POS) intrusions, there is a disturbing statistic for IT security stakeholders. In 99% of cases someone else told the business they had been hacked. The internal systems such as Intrusion Detection Systems (IDS) only discovered 1% of all POS intrusions. Typically the intrusion is undertaken by attackers scanning the internet for open remote-access ports and if the scan identifies a POS device it then uses brute force to access the device and install memory (RAM) scraping malware. The hub-and-spoke retail architecture facilitates traversal of the malicious code to all POS devices to magnify the effect. RAM scrapers grab payment card data while the transaction is being processed in memory (where it is unencrypted) then exfiltrate (export) the payment details to the criminals via proxy IP addresses.

Having obtained the bank and card details of customers who have been compromised, the hackers sell them on through the now-specialised criminal supply chain and the foot soldiers start using the details to obtain goods and cash. Sooner or later the law enforcement agencies pick up some criminals obtaining goods by deception and report the crimes. Eventually a pattern is noticed and the hack discovered. In 75% of POS intrusions the notification came from law enforcement, 14% from external parties’ fraud detection systems, and in 11% of cases from customers themselves. In 85% of cases the intrusion takes weeks to discover, in 13% months, and in 1% years.

In my opinion this is an appalling state of affairs and highlights the misdirected spending on network defences when more should be invested in application defences. If application sensors were added to applications, they would notify administrators when malicious activity is detected. But what if no one at HQ cares about alerts, as happened at Target (the US retailer) in December 2013? There are still many layers of defence that could, and should, be applied:

  • Applications should be self-defending and reject malicious input.
  • Interconnectivity between stores and central locations should be treated as only semi-trusted sources.
  • Well-designed and securely coded multi-factor authentication, plus strong password implementations would significantly reduce intrusions.
  • Make it difficult for attackers to log into POS devices by means of secure authentication, access controls and session management.
  • Minimise the data brought into process memory and remove it as soon as possible.
  • Limit remote access to domains by third-party vendors (the entry point of the Target attack was a spear-phishing email to a member of staff at the air-conditioning and heating services contractor).
  • Restrict POS systems to POS-related activity only, not web-surfing or email!

TVS has already described how to start building and testing secure applications – download the free white papers now.

Or would you prefer a policeman to call?