Menu
Cybercriminals targeting point-of-sale devices

Cybercriminals targeting point-of-sale devices

Even with PCI regulations, smaller retailers face challenges in security credit card transactions

Point-of-sale payment processing devices for credit and debit cards are proving to be rich targets for cybercriminals due to lax security controls, particularly among small businesses, according to a report from Trustwave.

Trustwave, which investigates payment card breaches for companies such as American Express, Visa and MasterCard, conducted 220 investigations worldwide involving data breaches in 2010. The vast majority of those cases came down to weaknesses in POS devices.

"Representing many targets and due to well-known vulnerabilities, POS systems continue to be the easiest method for criminals to obtain the data necessary to commit payment card fraud," according to Trustwave's Global Security Report 2011.

POS devices read the magnetic stripe on the back of a card that contains account information, which is then transmitted for payment processing.

Although there are rules for security controls that developers should use for the devices, such as the Payment Application Data Security standard (PA-DSS), Trustwave said that "these controls are rarely implemented properly."

Further, many small businesses rely on third-party integrators to support the POS devices. But those integrators often have poor security practices. In 87 percent of the breach cases it studied, the integrators make mistakes such as using default credentials in operating systems or with remote access systems, Trustwave said.

"In our experience, many POS integrators are often not skilled in security best practices, leaving their clients open for attack," the report said. "For instance, our investigations often uncover deficiencies in regards to basic security controls, such as the use of default passwords and single-factor remote access solutions."

POS devices are an attractive target for cybercriminals since the data they access from the cards is more complete, Trustwave said. For example, an attack against an e-commerce website may yield a credit card number and the card's expiration date -- information that can only be used in so-called card-not-present fraud, such as buying goods on a website that never sees the physical card or its magnetic strip.

But POS devices collect the full magnetic strip, which makes it possible, for example, to encode that information on a dummy card for use at an ATM machine or a retailer.

Retailers have been increasing their compliance with the Payment Card Industry Data Security Standard (PCI-DSS), a code of best practices created by the card industry. It forbids, for example, the storing of magnetic strip data on POS terminal and mandates the use of encryption.

But in 2010 Trustwave discovered new malware targeted at POS applications, one of which was capable of extracting that encrypted data.

"The POS-specific malware is the most sophisticated malware we have seen, and similar to the ATM malware we saw in 2009, as it requires deep knowledge about the workings of the POS application," Trustwave wrote.

Even though PCI-DSS is well established in North America and Europe, "these mandates are just beginning to take hold in other regions," Trustwave wrote. "For example, Latin America and Asia Pacific still lag behind other areas of the world in the identification and acknowledgement of a data breach, which adversely affects the global effort to combat attacker behavior."

Send news tips and comments to jeremy_kirk@idg.com


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags frauddata protectiontrustwave

Featured

Slideshows

The making of an MSSP: a blueprint for growth in NZ

The making of an MSSP: a blueprint for growth in NZ

Partners are actively building out security practices and services to match, yet remain challenged by a lack of guidance in the market. This exclusive Reseller News Roundtable - in association with Sophos - assessed the making of an MSSP, outlining the blueprint for growth and how partners can differentiate in New Zealand.

The making of an MSSP: a blueprint for growth in NZ
Reseller News Platinum Club celebrates leading partners in 2018

Reseller News Platinum Club celebrates leading partners in 2018

The leading players of the New Zealand channel came together to celebrate a year of achievement at the inaugural Reseller News Platinum Club lunch in Auckland. Following the Reseller News Innovation Awards, Platinum Club provides a platform to showcase the top performing partners and start-ups of the past 12 months, with more than ​​50 organisations in the spotlight.​​​

Reseller News Platinum Club celebrates leading partners in 2018
Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP has honoured its leading partners in New Zealand during 2018, following 12 months of growth through the local channel. Unveiled during the fourth running of the ceremony in Auckland, the awards recognise and celebrate excellence, growth, consistency and engagement of standout Kiwi partners.

Meet the top performing HP partners in NZ
Show Comments