New POS Vulnerabilities, Malware & Risks to the Retail Industry
Large retailers, franchises and small businesses alike have been affected this year by new vulnerabilities and malware targeting a variety of POS devices, systems and vendors.
A recent vulnerability affecting point-of-sale (POS) devices and systems has been detailed in a US-CERT in the Vulnerability Notes Database. The Honeywell OPUS Suite (OLE for Retail POS) provides a standard programming interface that allows POS hardware to be easily integrated into retail POS systems for Microsoft Windows operating systems.
Honeywell OPUS suite versions earlier than 188.8.131.52 make it possible for attackers to execute arbitary code into a targeted user’s browser process - the user has to visit a website or open file sent from an attacker in order for the attack to occur, according to the Honeywell vulnerability note. Fortunately, the vulnerability can be avoided by downloading and installing the most recent version of the software on the Honeywell website.
Whether a single phishing email or an entire campaign, getting a user to click a link or open an attachment is not particularly difficult, as a long history of data breaches have shown. Phishing attacks are widespread and affect every industry - 150k JPMorgan Chase customers were hit with phishing emails in a ‘Smash & Grab’ campaign that attempted to steal banking credentials in two ways:
- Asking users to submit their online bank account usernames and passwords
- Using a spoofed page that redirected users via a malicious iframe that installed the banking Trojan Dyre on a user’s machine
Third-party POS vendors have also been targeted in phishing campaigns, as stolen credentials are used to get access to a provider’s network and larger retail organizations’ networks.
POS Malware Types
While malware can be used against a variety of industries in a variety of ways, a few vulnerability notifications have designated certain types that target the retail industry and POS systems in particular, including:
Type: A family of POS malware
Who it affected: Seven POS system providers have confirmed multiple clients were affected and the Secret Service estimates that over 1,000 U.S. businesses were affected
What it does: Scrapes memory for credit card data, logs keystrokes, and connects with command & control servers to send stolen data.
How it’s used: Attackers scan to find users of popular remote desktop solutions, then attempt to brute force the login to get access to administrator or privileged accounts in order to deploy the Backoff POS malware.
Name: BlackPOS, also known as Kaptoxa
Type: A POS malware strain
Who it affected: BlackPOS is said to have been associated with the Target and Home Depot breaches
What it does: This type of malware parses data stored in the memory of specific POS devices, capturing track data stored on a card’s magnetic stripe immediately after it’s been swiped at a terminal.
How it’s used: Attackers get access to a company’s network or servers, typically via stolen credentials. Then they upload BlackPOS to POS machines and set up a control server to collect and deliver stolen data from infected devices.
POS System Best Practices
A US-CERT alert recommends some standard security best practices for POS system owners and operators in efforts to protect customer card data from attackers. One of their recommendations includes using strong passwords, and always changing the default passwords while installing new POS systems. Default passwords on commercial systems can be very easily found online by nearly anyone that searches for them.
Another recommendation includes updating POS software applications, which is one way to ensure you’re running the latest and most secure application to guard against known vulnerabilities (if they’re published online, they can be easily exploited too).
Exercise control over your IT environment by restricting Internet access to POS system computers or terminals to prevent users from exposing sensitive data online, and restrict remote access to POS systems. Attackers can brute force or phish credentials to remote desktop tools that give them full access to POS systems from anywhere in the world.
While the US-CERT also recommends installing firewalls and antivirus, many variants of malicious software and attacks often bypass detection by antivirus software. As antivirus solution provider Symantec told the Wall Street Journal, antivirus software only catches about 45 percent of cyberattacks. A more effective security tool strengthens access controls like authentication - two-factor authentication provides another layer of security in addition to your basic primary authentication process (username + password).
For an update on the latest threats and how to protect your organization, check out our Modern Guide to Retail Data Risks to learn:
- New risks to the retail industry presented by cloud, mobile and Bring Your Own Device (BYOD)
- Business and compliance drivers for strengthening authentication security
- How outdated security solutions can no longer effectively protect retailers and consumers alike
- How implementing a modern two-factor authentication solution can work to protect the new IT model