Photo - Nigel Tan, Director, Systems Engineering with Symantec Malaysia
One of the earliest forms of cybercrime is credit and debit card data theft and this continues to persist today. Cybercrime gangs organise sophisticated operations to steal vast amounts of data before selling it in underground marketplaces. Criminals can use the data stolen from a card's magnetic strip to create clones and it's a potentially lucrative business with individual cards selling for up to US$100.
There are several routes attackers can take to steal this data. One option is to gain access to a database where card data is stored. But another option is to target the point at which a retailer first acquires that card data - the point of sale (POS) system.
While many POS transactions are in the form of cash, many of these payments are made by customers swiping their cards through a card reader. These card readers may be standalone devices but modern POS systems, particularly those in larger retailers, are all-in-one systems which can handle a variety of customer transactions such as sales, returns, gift cards and promotions. Most importantly from a security standpoint, they can handle multiple payment types.
Given the sensitive financial and sometimes, personal data to which modern POS systems have access, it is an obvious but not always well recognised fact that the security of these systems is of utmost importance.
Security issues in POS systems
Modern POS systems are specially configured computers with sales software installed and equipped with a card reader. Using a process known as "skimming", card data can be stolen by installing a device onto the card reader which can read the data off the card's magnetic strip. As this requires additional hardware and physical access to the card reader, it is difficult to carry out this type of theft on a large scale.
This led to the development of malware which can copy the card data as soon as it's read by the card reader. The first of such attacks were seen in 2005 with a series of campaigns orchestrated by Albert Gonzalez, a hacker who stole over 170 million card numbers. Since then, an industry has developed around attacking POS systems, with tools readily available on the underground marketplace.
Despite improvements in card security technologies and the requirements of the Payment Card Industry (PCI) Data Security Standard (DSS), there are still gaps in the security of POS systems. This coupled with more general security weaknesses in corporate IT infrastructure means that retailers find themselves exposed to increasingly resourceful and organised cybercriminal gangs.
Card data theft is likely to continue in the near term. Stolen card data has a limited shelf-life. Credit card companies are quick to spot anomalous spending patterns, as are observant card owners. This means that criminals need a steady supply of "fresh" card numbers.
The good news is that retailers will learn lessons from attacks and take steps to prevent the re-occurrence of this type of attack. Payment technology will also change. Many US retailers are now expediting the transition to Europay, Mastercard and VISA (EMV) standards, or "chip and pin" payment technologies. Chip and Pin cards are much more difficult to clone, making them less attractive to attackers. And of course new payment models may take over. Smartphones may become the new credit cards as mobile, or NFC, payment technology becomes more widely adopted.
There's no doubt that cybercriminals will respond to these changes. But as retailers adopt newer technologies and security companies continue to monitor the attackers, large-scale POS thefts will become more difficult and certainly less profitable.
Risks with end of support for Windows XP
The majority of POS systems run the older Windows XP version of Windows Embedded. This older version is more susceptible to vulnerabilities and therefore more open to attack. In addition, Microsoft will end technical assistance for Windows XP operating system on 8 April 2014, including automatic updates and regularly issued security patches. Systems that continue to use Windows XP after the deadline will face increased security risks, particularly if new vulnerabilities are discovered in the operating system. Consequently, these systems are susceptible to a wide variety of attack scenarios which could lead to large scale data breaches. Organisations with systems running on Windows XP Embedded (XPE) face a similar situation, but more time to transition, as Microsoft will end support for XPE in January 2016.
As many POS systems are running a version of Windows, they are also capable of running any malware that runs on Windows. Thus, attackers do not need specialised skills in order to target POS systems and malware that were not specifically designed for use on POS systems could be easily repurposed for use against them.
There are many steps that POS operators can take to reduce the risk from attacks against POS systems but above all, the overarching reminder is to implement layered security on the POS systems and throughout the network.
A properly configured endpoint protection product can block even the most determined attacker, and this is especially true when it comes to a POS system. POS systems actually have a security advantage over a PC as a single function device. Because no one on that device is web browsing, emailing or opening shared drives, the functionally of the machine and the files needed on that machine are limited.
In short, to implement the best protection for Windows-based POS systems, organisations need to have layered security as part of the IT architecture.
- Nigel Tan is Director of Systems Engineering with Symantec Malaysia.