Point-of-Sale Attacks Still Going Strong but the Reason Isn’t What You Think
While many organizations have become aware of the dangers that lurk because of cyber criminals, Point-of-Sale (POS) systems remain a tasty target for attackers seeking payment card and other sensitive data. Just look at the research: the 2016 Verizon Data Breach Investigations Report, which examines over 100,000 incidents, including 2,260 confirmed data breaches across 82 countries, revealed that POS attacks accounted for thirty-two percent of all incidents and sixty-four percent of breaches, where data was stolen last year alone. When you add up the dollars, this is quiet significant.
Even after the wake-up call that retailers received in 2014 when POS systems for some of the biggest names in retail were hacked, POS attacks continue to occur, but why? And why is it that most of the victims are PCI compliant and have monitoring tools in place that should have identified those threats before they became a full-blown attack?
There are a couple of reasons this happens.
The Problem Isn’t Entirely the POS System
The issue arises because most businesses aren’t considering the fact that POS systems are just one link in the chain. They are largely leaving their networks vulnerable because once they hear the word “compliant,” many assume they are also secure. Time and again, we see that it isn’t the POS system that gets directly attacked, it is everything else on the network that leads to the POS system or more importantly, to the back office computer that is connected to the Internet and moving the electronic payment and other types of critical data. The bottom line: compliant doesn’t equal secure. There are multiple ways a hacker can access a network along with countless tactics they’ll use in doing it.
For example, I was recently talking with an executive from a company whose system was compromised through the remote access service they use, within their POS software, to manage retail locations across the country. A hacker figured out a way to get into that remote component of the POS system and hacked a number of retail locations. There are dire consequences with this type of attack. The card brands that make up the PCI DSS body look at this situation and say, “card data is card data. Whether it was encrypted or not, that business still allowed information to be stolen.” Over forty percent of businesses don’t survive an initial breach due to the shear financial strain on the organization. They are often restricted to cash payments, face insurmountable fines and must recover from significant brand damage.
Set It and Forget It: Not so Fast
The second problem is one of sheer resources and understanding. Simply putting tools in place to identify threats doesn’t mean a business is protected. Monitoring and proactively addressing security issues 24/7/365 requires vigilance, expertise and tremendous internal resources that many companies don’t have or can’t afford. So, instead of actively responding to alerts and managing the network to ensure actions are taken to prevent a breach, companies with limited resources tend to address the problems through basic hardware – firewalls! Assuming they are set up properly, many quickly learn the hard way that this approach isn’t very effective. For example, unless there are trained professionals on staff that have hands-on experience with mandates such as PCI or HIPAA, how will they know if a firewall rule change is breaking compliance? Without the ability to remain vigilant around the clock, how can a business remain secure in the middle of the night?
Where to Start: Protect the Network
There is no silver bullet to ensure total protection, but one thing is certain: you can’t ignore the network. In large part, hackers attend to take the path of least resistance and don’t attack a POS system directly. As mentioned before, they get into the POS system and steal electronic payment data through other devices and services connected to the Internet. This is why properly segmenting data traffic on your network and prohibiting general access to the Internet is the most important thing you can do to protect your business. This is especially true if Internet access is through a single or common LAN segment, which is the case for most small and many medium sized businesses.
The Verizon DBIR recommends also recommends three steps toward minimizing POS attack risk:
- Review your vendors’ authentication: If you aren’t using two-factor authentication where you can, then you should. Also, because so many attacks come via vendors, you should seek partners that are using strong authentication too.
- Monitor and separate: Track who’s using your POS systems—how and when—to make certain they’re only being used by the right people. Separate the POS environment from the corporate LAN, so that it’s not visible to the entire internet.
- Use anti-virus software: Basic though it seems, our research shows there are too many POS devices with no anti-virus protection at all. So install it on yours and keep it updated.
Technology and Services
It only takes one weak spot for a hacker to infiltrate a network. Businesses should do more to holistically apply technologies and services to protect network and payment information. Together, they provide solid security defenses for a business. This is why many choose to outsource security and re-task internal security personnel to perform more critical functions within the organization.
About the Author
Gregory Grant is the senior director of sales and business development at Phoenix Managed Networks, the provider of PhoeniXSentry, a cloud-based network security service that delivers affordable and reliable enterprise-strength security to businesses without dedicated IT or security staff. As the world’s first PCI DSS Level 1-certified security service, PhoeniXSentry ensures all businesses under its protection continually meet their PCI DSS compliance requirements. For more information, please visit www.phoenixmanagednetworks.com.
Other news articles of interest:
Image courtesy of Wikimedia Commons: https://commons.wikimedia.org/wiki/File:Binary_Back.jpg