The U.S. Department of Homeland Security (DHS) said in a recent cybersecurity alert that more than one thousand organizations, from large enterprises to small-to-midsize businesses, have been compromised by “Backoff,” a recently discovered malware package. To make matters worse, these organizations are probably unaware of Backoff, which steals information from point-of-sale (POS) systems, especially customer credit card data.
When DHS first issued a warning about Backoff on July 31, we learned the malware can slip past most antivirus software. Backoff Is believed to be behind the highly publicized security breach at Target. As insidious as Backoff is, it’s not the only malware targeting POS systems, and Target is far from the only victim of a massive security breach.
Why is POS malware so dangerous? POS malware is capable of memory scraping, a process that involves reading and stealing the memory contents of POS systems, including credit card data, login information, and communication with remote servers. POS malware finds this data as soon as a credit card is swiped, saves it, and retrieves it later. Because POS terminals usually aren’t connected to the Internet, hackers look for access through the corporate network, exploiting security vulnerabilities or looking for a device that hasn’t changed the default password. Once they’ve gained access into the network, they find out where the POS system is hosted, install malware, and make their malicious activity invisible.
Many retailers incorrectly assume that Payment Card Industry (PCI) Compliance makes them immune to a security breach. PCI compliance does not guarantee security. Most recent victims were PCI compliant but their PCI environments were compromised anyway. It’s one thing to fill out paperwork that says security mechanisms are active, but it’s quite another to prove their effectiveness through frequent and thorough testing, which is generally lacking.
US-CERT (United States Computer Emergency Readiness Team), which is part of DHS, issued an alert in January of 2014 titled “Malware Targeting Point of Sale Systems.” The alert referenced six ways that organizations can protect themselves against POS malware.
- Use strong passwords. Using the default password on a POS system is like inviting a cybercriminal to steal whatever they want. The passwords on all devices should be manually updated during installation and later verified.
- Use the latest POS software. The older the system, the more time hackers have to identify and exploit a gap in security. Updating POS applications should be included in your patch management strategy. Even if your older application has the same functionality, it probably doesn’t have the most updated security features and bug fixes.
- Use a firewall. Firewalls guard against external threats by screening traffic and preventing unauthorized access to or from a private network. Layered security, which incorporates host-based and network-based firewalls and an intrusion prevention system, is the recommended approach.
- Use antivirus software. These programs can only recognize threats based on the most recent definitions, so it’s important to keep antivirus protection updated. It’s also a good idea to deploy a comprehensive endpoint protection solution to stop threats at the device level.
- Restrict Internet access. Connecting a POS system to the Internet, intentional or not, for anything other than POS-related activities makes the system vulnerable to attack. Ideally, the POS application should be completely blocked from the Internet unless absolutely necessary.
- Block remote access. Remote access enables authorized users to access POS without physically touching the system. That’s exactly what hackers want to do, so they look for ways to exploit remote access configurations. Blocking remote access is one way to stop this from happening
Atlantic-IT.net, your outsourced IT department, stays abreast of the latest security issues and provides comprehensive POS support. Let us help you implement a system that keeps your company and customer data safe.