POS Security Still a Problem

by Raymond Pucci 0

Hackers are still feasting on some vulnerable POS systems. According to the following article, older and outdated merchant terminals and back-end systems are at the center of many payment card data breaches.

Point-of-sale (POS) systems seem to be a growing target for hackers. In early August, security expert Brian Krebs reported on his Krebs on Security site that Oracle’s MICROS POS division had suffered a breach in its customer support portal for companies using its point-of-sale card payment systems. Attacks like this and a recent data breach involving Eddie Bauer Stores in the U.S. and Canada are just a few examples of hackers targeting POS systems.

Hackers always look for low-hanging fruit, security experts point out, and POS systems are relatively easy targets because they tend to have older, easily hacked security protocols.

“Hackers are going after the path of least resistance,” said Fred Kneip, CEO of CyberGRX, a provider of risk management software. “People have not evolved with the technology.” Many large retailers, notably Target, Home Depot and Wal-Mart, have upgraded their POS systems to take EMV (chip) cards, designed to prevent certain types of payment fraud.

Other retailers have yet to activate the EMV capability. A Boston Retail Partners survey published earlier this year found that just 22 percent of retailers currently support EMV, with another 53 percent planning to do so within the next 12 months. And some merchants, primarily smaller ones, still have older POS systems that cannot even accept chip cards.

But a POS system’s ability to accept EMV cards does not affect the type of vulnerability that hackers are targeting, involving outdated operating systems. The new POS terminals did not require the updating of back-end OS systems to attain EMV capability.

“Many of the systems are still running Windows XP or other out-of-support operating systems with known vulnerabilities, and there are no patches for them,” said Christopher Budd, global direct communications manager for security company Trend Micro.

A credit union in June filed a class-action lawsuit against restaurant chain Wendy’s in response to a data breach that affected at least a few hundred restaurants, alleging that Wendy’s security systems were outdated, payment card information wasn’t deleted when it was supposed to be, antivirus software wasn’t regularly updated, firewalls weren’t maintained and access to network and credit card data wasn’t monitored.

Unfortunately, this type of careless behavior is not uncommon, security experts say.

Hackers gravitate to the weakest link in the security chain and waste no time in identifying those merchant types to prey upon. Merchants with older POS terminals and far-flung checkouts with staff not always present are often targeted. The EMV transition process has revealed many POS systems with outdated software and thinly secured back-end systems. Merchants and their payment providers need to accelerate upgrading older POS systems that provide ill-gotten gains to hackers everywhere.

Overview by Raymond Pucci, Associate Director, Research Service at Mercator Advisory Group

Read the full story here