POS Systems and Trust (Part 2)

Cash registers first originated in the 1870’s to combat a problem of dishonest employees who were pocketing money from customers.  Point of Sale (POS) systems are specialized computer systems today, but many have open operating systems and are susceptible to the same issues as any other computer system. As additional features continue to expand POS capabilities, they require more applications, connectivity, and dependencies to backend store systems. They are prime targets to get access to valuable customer and cardholder data, and businesses and consumers are at risk.

The assumptions about these systems, their environment, and how they have evolved are why we continue to see compromises and breaches.  For the most part, POS breaches have been facilitated by detailed knowledge, access to their environment, and by unauthorized code.  What was set in play in 2006 with PCI-DSS was well intentioned. But when you consider that from the initial McAfee Labs threat intelligence report in 2007, where 1 million samples were identified, we’ve now grown to an estimated projection of 130 million samples – you can see that we are now dealing with a volume of threats that was never conceived.  It also doesn’t help that to reduce scope for PCI compliance, POS systems are recommended to be on isolated networks, making automated .dat updates harder to execute.

Did you know the top two most popular jobs in the US, according to US Bureau of Labor Statistics, are the 4.3 million retail salespersons and 3.3 million cashiers? Because these systems are in semi-public areas, these people also play a role in security. But how many of them inadvertently give a convincing service guy access under the guise of a maintenance request, or do not quickly report a system acting poorly?  File integrity monitoring is a way to get early warning signs of unauthorized changes to these systems, but diligence is needed to set what to watch and have personnel react to these warnings.  Many times, this is yet another console or system to implement in a complex environment, and it causes potentially daily false positives when new pricing promotions are batch deployed or a POS application is updated.

The same social aspect that retail is embracing to grow their brand is also at work with cybercriminals who are sharing vulnerabilities and designing increasingly sophisticated compromise attacks. With this in mind, do you trust the 3.3 million cashiers? Are you sure that not one of them is a part of this plan, and do you trust that you have internal controls to detect and react in time to an unauthorized change? Are you sure that your applications and support personnel will do the right thing?

We are familiar in networking with, “block all traffic except that which is explicitly required,” and the same fundamentals need to be applied to POS systems.  Learn about how McAfee can facilitate trusted updaters through McAfee Integrity Control and by blocking unauthorized code. We also work with retail manufacturers to provide ‘out-of-box’ security for their customers to deliver a higher-value product directly to retailers, reducing this complex burden.

 -Kim Singletary

Leave a Comment

six − 4 =