By now, everyone in has heard about the Target and Neiman Marcus data breaches. We’ve recently discovered these retail attacks have been targeting Windows-based cash register systems aka point-of-sales (POS) systems. Hackers are finding ways to penetrate retailers’ networks and install malware on their Windows-based cash register systems and Back-of-the-House (BOH) servers to steal customer credit card data. This sophisticated malware targets the data stored in RAM, which has been decrypted for authorization processing. Stealing customer names, credit card numbers and other personally identifiable information right from underneath these large retailers’ noses!
These types of attacks usually occur through four common methods:
1. Improperly upgraded Windows XP POS software
Cyber criminals take advantage of security vulnerabilities in improperly configured or outdated software. The best way to block this angle of attack is to:
- Make sure you are running the most recent version of your operating system and well-known, brand-name applications.
- When installing updates, upgrades or new POS software, retail merchants should ensure it is configured to adhere with PCI DSS requirements. Small businesses should also ensure the payment application is not configured in a debug or troubleshooting mode – as this could result in exposure of unencrypted cardholder data.
- Implement hardware-based, point-to-point encryption on all POS systems such as McAfee Endpoint Encryption.
2. Human error
Most attacks are the result of human error. 80% of all data breaches reported by the U.S. federal government from January 2009 through May 2012 were caused by human error.* Employees could unwittingly download a file that had a virus embedded in it that spread throughout a business and payment networks. If payment network equipment has easy access, a disgruntled employee could introduce a virus that modifies the POS software so that transmits the data externally or destroys it altogether. To prevent this from happening:
- The payment network should be isolated from your business network. Keeping all customer data separate from other types of information.
- Limit physical access to any network equipment, data storage and computers accessing, storing or transmitting sensitive customer data. Best practice would be to keep this equipment in a secure location, such as a locked room / office.
- Regularly audit the security of these systems to ensure everything is up–to-date and optimal settings are being utilized.
- Purchase an anti-virus product and run regular scans for malware and viruses. Use a brand-name, commercial program that you pay for such as, McAfee Security for Business. Keep in mind, many people who search for ‘free antivirus’ end up installing malware.
- Consider using application “whitelisting” or an application blocking solution to help prevent installation of malicious software and unapproved programs from running.
- Limit administrative privileges. Only a few trustworthy individuals should have administrator privileges to systems, applications or services.
3. Weak passwords
Passwords are highly sought-after by hackers as a means of access to any computer, device, network, application or service. A weak, dormant or shared password may give a cyber criminal access not only to a computer, but also the entire network to which the computer is connected. Users should treat their passwords like they treat their most valued possession – while retailers should treat them like keys to the cash register:
- Enforce complex password requirements – a good, strong password should be difficult to remember.
- Require unique passwords for every website, service, application used. If one password is guessed, it won’t act as they key to all accounts belonging to that user.
- Restrict data access to need to know staff. Implement electronic audit trail procedures to monitor who is accessing what. Enforce strict penalties for illegitimate browsing and access.
- Protect access to payment processing networks with two-factor authentication or a solution to generate a unique password for each session – such as McAfee One Time Password. This will limit the likelihood of a disgruntled former employee providing passwords to hackers or a brute force attack on user passwords. As an added precaution, periodically review systems for unknown or dormant users. When an employee leaves the company, immediately remove their access privileges from ALL systems.
4. Improperly configured firewall
Every program running on your computer, including your Windows-based POS software, opens a port to communicate to another computer, server or the internet. Hackers use port-sniffing tools to find open, vulnerable ports. Once they find an open port, they probe further for weaknesses – checking the software behind that port to see if it’s outdated, has security vulnerabilities or misconfigurations they can use to penetrate that computer or the network to which it is attached. Unless you proactively manage your firewall, any open port is a potential gap in your security. To block these potential attacks:
- Ensure you are using a network firewall, one that offers intrusion prevention and deep packet inspection, to detect malware or exploits in network traffic such as McAfee Next Generation Firewall, Powered by Stonesoft.
- Configure your network firewall to allow only known services and IP addresses are communicating with your network.
- Block as many ports as you can on your firewall – allowing only essential traffic to enter your network such as email and Internet.
Have you thought about how this might impact your business?
These are multi-million dollar corporations, with massive IT departments. If they can’t keep their customers safe, can you? Of course you can – by following the steps outlined above and treating your data security with the same care that you treat your personal security, you will ensure the protection of both your network and Windows-based POS systems and minimize the risk of a card data compromise.
*“Data Breaches in the Government Sector,” a Rapid 7 Research Report.