Late last year there was conversation about the increasing frequency of point of sale (POS) terminal fraud, especially in the US. An extremely high-profile case that was discussed by security professionals with cyber security jobs and no doubt those on the hunt for IT security contract jobs concerned four Romanian nationals and a multimillion dollar scheme to commit POS fraud, which would have resulted in hundreds of merchants being swindled as well as compromising 80,000 US citizens.
They were attempting to do this remotely by hacking into POS systems and stealing data and payment from credit cards, debit cards and prepaid cards, but were, luckily, nabbed by the authorities. They face five years in prison if convicted.
“The hackers allegedly scanned the internet to identify vulnerable POS systems with certain remote desktop software applications installed on them, and then used the applications to log into the targeted POS system, either by guessing the passwords or using password-cracking software programs,” Wired.com reported at the time.
It’s a serious threat, which the security industry most certainly has on its radar. Roll on the start of this month and the dialogue about POS attacks is still as topical as ever.
Speaking to SC Magazine, Bill Farmer, chief executive officer of Mako Networks, turned the discussion to “rogue terminals”, which exist outside of the central network, and are used as a mechanism to “harvest data” out of a business and into the hands of cyber criminals. What’s interesting is that adept criminals operate in a very surreptitious way.
“The cyber criminal will modify the device to steal the information and transmit it out to be stored,” he said. “It is not easily detectable as the compromised modules are transmitting data out for months at a time and are often in high-traffic places.”
They then collect this data, keep onto it for months, then use it for small transactions a few months later and then at cash machines where lots of cash is extracted, Mr Farmer added.
What then can be done to eliminate this threat? Simple security measures can be effective – all of which deny cyber criminals easy access into a system. You wouldn’t leave your back door open at home or in your office would you? Apply the same concept to POS terminals.
One of the recurring themes is for organisations not to “affiliate” the name of the business with a Wi-Fi network. This is like handing swindlers the golden key.
Another strategy includes making sure that payment systems conform to the Payment Council Industry (PCI) Data Security Standard. The PCI Security Standards Council is a most useful asset given that it is responsible for the development, management, education and awareness of industry standards.
Carry out penetration tests as a form of risk assessment to identify weaknesses in the system. Especially vulnerable organisations are those that have POS terminals in a variety of locations and with a sizeable workforce who may, on occasion, leave terminals unattended.
Finally, keep one step ahead of the game, be leaders and innovate. Technology in the digital age doesn’t stop for anyone and neither should you. Invest in new equipment, get regular software updates. Change is good and it puts cyber criminals on the back foot. We’ve got competition, they lament. Indeed they have.
Great blog and interesting facts.
I am constantly surprised by the lack of adherence to the Payment Card Industry Data Security Standards (PCI DSS). In the past there were excuses used about the clarity but this has been resolved with clear guidance then there was the excuse of security always changing so the PCI SSC introduced a 3 year cycle which means a merchant knows their investment has a chance of achieving an ROI.
All in all businesses reply on credit cards as a significant source of income and it is in their interest as much as the credit card schemes to keep them secure.