Thread: Point-of-sale devices targeted by cybercriminals

According to a report from Trustwave, Point-of-sale payment processing devices for credit and debit cards prove to be high targets for cybercriminals due to lax security controls especially among small businesses. 220 investigations were conducted worldwide involving data breaches in 2010 by Trustwave that investigates payment card breaches for companies such as American Express, Visa and MasterCard. Weaknesses in POS devices formed a vast majority of those cases. Trustwave’s Global Security Report 2011 states that POS systems can be easily targeted as it has several vulnerabilities and it continues to be the simplest method for criminals to obtain the data necessary to commit payment card fraud.

The magnetic strip on the back of a card containing account information that is transmitted for payment processing is read by POS devices. Trustwave says that security controls that should be used by developers for the devices like the Payment Application Data Security Standard (PA-DSS) are rarely implemented. To support the POS devices, several small businesses rely on third party integrators. Trustwave states that the integrators make mistakes like using default credentials in operating systems or with remote access systems in 87% of breach cases that were studied.

According to the report, many POS integrators are often unskilled in best practices in terms of security that renders clients vulnerable to attackers. Deficiencies have often been uncovered with respect to basic security controls like using default passwords and single factor remote access solutions through the investigations. Trustwave has stated that cybercriminals comfortably target POS devices as the data accessed from the cards is comprehensive. Alternatively, only the credit card number and the card expiration date, is available if an e-commerce website is attacked. Only to buy goods that are present on a website that never sees the card physically or the magnetic strip, this information is useful.

Encoding all the information on a dummy card that can be used at an ATM machine or a retailer is made possible by POS devices that collect the entire magnetic strip. The compliance, with the Payment Card Industry Data Security Standard (PCI-DSS), which is the code of best practice by the card industry, has been increased by retailers nowadays. It mandates the usage of encryption and prohibits the storing of magnetic strip data on POS terminals. Malware targeting POS applications that is able in extracting encrypted data has been discovered by Trustwave in 2010.

Trustwave has informed that the POS-specific malware is the most sophisticated malware that has been observed as it requires great knowledge about the workings of the POS application just like the ATM malware of 2009. In North America and Europe, the PCI-DSS is well established but in other regions these mandates are yet to assume importance. In the identification and acknowledgement of a data breach, Latin America, the Asia Pacific and other areas of the world lags behind significantly that impacts global effort to fight attacker behavior negatively, according to Trustwave.