Thousands of credit card readers at gas stations and supermarkets in Israel experienced issues this past weekend, potentially linked to a suspected cyberattack.
According to The Jerusalem Post, this incident is the latest in a series of point-of-sale (POS) threats. The challenges and disruptions caused by these attacks arise partly from the unpredictability of which consumers’ data might be affected and the varying levels of security among the small businesses impacted.
POS malware extracts credit card and other transaction-related data from payment systems and card skimmers. Hyp Credit Guard, which monitors payment system cybersecurity in Israel, said the attack targeted the communication services relied upon by many retailers. Fortunately, the issue was mitigated in just over an hour.
Given that gas stations process hundreds of credit card transactions daily, a successful cyberattack can compromise sensitive financial data on a large scale, often without consumers realizing their data has been breached. The effectiveness of a POS attack largely depends on the security measures in place at the targeted business.
A Worldwide Problem
Some experts suspect that Iranian-linked hackers may have been involved in the cyberattack. Just last month, a major Israeli payment company, Sheba, was hit by a similar attack, which caused delays in processing debit card transactions.
The U.S. has also experienced several large-scale POS attacks. In 2014, POS malware allowed criminals to gain access to millions of credit and debit card account numbers of customers at Target stores across the country.
More recently, NCR reported that a POS attack had impacted its Aloha restaurant payment system. Although NCR did not disclose how many customers were impacted, it did acknowledge that more than 100,000 restaurants use its payments platform. Like gas stations, individual restaurants may be more vulnerable to such attacks due to a lack of cybersecurity preparation.
“If you don’t have strong cybersecurity policies in place, POS attacks, like any other cyberattack, are much more likely to be successful,” said Suzanne Sando, Senior Analyst in Fraud and Security at Javelin Strategy & Research. “If you don’t encrypt data, if you aren’t complying with PCI DSS standards, if you aren’t monitoring for suspicious activity—all of these are steps organizations can take to reduce the likelihood of a successful POS attack. It’s all about finding those vulnerabilities and locking them down.”