Menu
Cybercriminals targeting point-of-sale devices

Cybercriminals targeting point-of-sale devices

Even with PCI regulations, smaller retailers face challenges in security credit card transactions

Point-of-sale payment processing devices for credit and debit cards are proving to be rich targets for cybercriminals due to lax security controls, particularly among small businesses, according to a report from Trustwave.

Trustwave, which investigates payment card breaches for companies such as American Express, Visa and MasterCard, conducted 220 investigations worldwide involving data breaches in 2010. The vast majority of those cases came down to weaknesses in POS devices.

"Representing many targets and due to well-known vulnerabilities, POS systems continue to be the easiest method for criminals to obtain the data necessary to commit payment card fraud," according to Trustwave's Global Security Report 2011.

POS devices read the magnetic stripe on the back of a card that contains account information, which is then transmitted for payment processing.

Although there are rules for security controls that developers should use for the devices, such as the Payment Application Data Security standard (PA-DSS), Trustwave said that "these controls are rarely implemented properly."

Further, many small businesses rely on third-party integrators to support the POS devices. But those integrators often have poor security practices. In 87 percent of the breach cases it studied, the integrators make mistakes such as using default credentials in operating systems or with remote access systems, Trustwave said.

"In our experience, many POS integrators are often not skilled in security best practices, leaving their clients open for attack," the report said. "For instance, our investigations often uncover deficiencies in regards to basic security controls, such as the use of default passwords and single-factor remote access solutions."

POS devices are an attractive target for cybercriminals since the data they access from the cards is more complete, Trustwave said. For example, an attack against an e-commerce website may yield a credit card number and the card's expiration date -- information that can only be used in so-called card-not-present fraud, such as buying goods on a website that never sees the physical card or its magnetic strip.

But POS devices collect the full magnetic strip, which makes it possible, for example, to encode that information on a dummy card for use at an ATM machine or a retailer.

Retailers have been increasing their compliance with the Payment Card Industry Data Security Standard (PCI-DSS), a code of best practices created by the card industry. It forbids, for example, the storing of magnetic strip data on POS terminal and mandates the use of encryption.

But in 2010 Trustwave discovered new malware targeted at POS applications, one of which was capable of extracting that encrypted data.

"The POS-specific malware is the most sophisticated malware we have seen, and similar to the ATM malware we saw in 2009, as it requires deep knowledge about the workings of the POS application," Trustwave wrote.

Even though PCI-DSS is well established in North America and Europe, "these mandates are just beginning to take hold in other regions," Trustwave wrote. "For example, Latin America and Asia Pacific still lag behind other areas of the world in the identification and acknowledgement of a data breach, which adversely affects the global effort to combat attacker behavior."

Send news tips and comments to jeremy_kirk@idg.com


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags fraudtrustwave

Events

Why experience is the new battleground for partners

Join us for an exclusive webinar, in association with Hewlett Packard Enterprise and Technology Services Industry Association (TSIA) and learn about the latest industry insights and how technology services continue to evolve to deliver differentiated value, and how partners can be successful in 2021 and beyond.

Featured

Slideshows

Channel kicks 2021 into gear as After Hours returns to Auckland

Channel kicks 2021 into gear as After Hours returns to Auckland

After Hours made a welcome return to the channel social calendar with a bumper crowd of partners, distributors and vendors descending on The Pantry at Park Hyatt in Auckland to kick-start 2021.

Channel kicks 2021 into gear as After Hours returns to Auckland
The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

Hundreds of leaders from the New Zealand IT industry gathered at the Hilton in Auckland on 17 November to celebrate the finest female talent in the Kiwi channel and recognise the winners of the Reseller News Women in ICT Awards (WIICTA) 2020.

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards
Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards

Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards

The leading female front runners of the New Zealand ICT industry joined together for the annual Reseller News Women in ICT Awards event at the Hilton in Auckland, during which hundreds of guests celebrated 13 outstanding individuals who won awards, chosen from more than 50 finalists representing over 30 organisations.

Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards
Show Comments