The travails of small retail and hospitality businesses struggling with hackers have been documented for years in the annual Verizon Data Breach Investigations Report. Mom-and-pop businesses, small restaurants and regional hotel chains are perfect targets of opportunity for attackers adept at scanning for and exploiting vulnerabilities in point-of-sale systems.
Even the big boys such as Target and Nieman Marcus have a hard time adequately secure the systems and terminals responsible for processing customers’ payment card transactions.
At the upcoming Black Hat USA conference in Las Vegas, researcher Lucas Zaichowsky, enterprise defense architect at AccessData, hopes his talk on point of sale system architecture and security will be a call to action.
“Point of sale architecture and security is such a niche industry in terms of how to secure these systems and how card data flows. It’s like a big black box; those who know it well are few and far between,” he said. “Even PCI auditors don’t understand it all that well.”
Zaichowsky hopes that his talk in front of a captive and highly technical Black Hat audience will inspire some to reach out to their respective local communities and educate point-of-sale dealers and integrators about security issues in those systems.
“Mom and pop businesses have a POS dealer they buy from and pay them to maintain their systems, but the dealers don’t’ understand security themselves,” Zaichowsky said.
Most dealers rely on remote management clients such as VNC or PCAnywhere, or Microsoft’s Remote Desktop Protocol (RDP) to look after point of sale systems. They use these clients to do port-forwarding in order to remotely support their customers’ terminals and systems.
“One of them might have a bad password or an old, vulnerable version of the software. Attackers are after small businesses and they do nothing but port scan on the Net for VNC and use a brute-force attack or an exploit to gain access,” Zaichowsky said. “If they get in there, they’ve got local admin rights. The weakness is that the dealers aren’t security savvy. Most of them are power users running their own businesses. And the merchants don’t understand, or don’t think they’ll get hacked. That’s why they’re targeted and end up victims of a drive-by scan. They’re thinking they’re OK because the dealer takes care of security.”
Opportunistic—and automated—attacks against retailers exploit weak or default passwords with precision. The Verizon DBIR identified the use of stolen credentials as the top threat action in this year’s report, topping data exfiltration and RAM scraper malware.
RAM scrapers gained headline-type attention upon the disclosure of the Target breach over the 2013 holiday systems. Attackers were able to infiltrate the giant retailer’s systems, inject the malware into running processes and steal payment card data before it’s encrypted by the point of sale system and the Windows backend systems that mange them. Attackers in the Target breach were able to steal 40 million credit and debit card numbers, and the personal information of up to 70 million customers.
While Windows—even the no-longer-supported Windows XP—manages many of these systems, this is hardly a Windows problem, Zaichowsky said. He says that even opportunistic attackers are savvy enough to use point of sale systems as an initial entry points into a retailer’s network for example. Once in, they’re just as likely to pivot about, install more malware, and steal more than payment card information.
“I hope to get the word out to the community to educate point of sale dealers and small businesses with practical advice that will keep them from being the low hanging fruit out there,” Zaichowsky said. “And for larger targets, they need to spend money on point-to-point encryption and never underestimate financial criminals. It’s not like Target and the others had poor security, it’s just that the bad guys are very good at what they’re doing.”