Point-of-Sale Attacks Leverage Weak Remote Security and Passwords
Weak remote security and passwords contribute to 94 percent of point-of-sale (PoS) breaches, according to a new Trustwave Global Security Report (PDF). These security issues led to compromises in the retail, hospitality and food and beverage industries.
The report found that much of the food and beverage and hospitality compromises were due to the dependence on remote access software to remotely manage locations and payment systems. But many times, remote access software were deployed with weak or default credentials, making them a prime target for criminals.
In a breakdown of types of IT environments most frequently compromised, POS systems and assets were associated with 95 percent of breaches in the food and beverage industry, according to the Trustwave report.
One example is the breach of Eataly, a small business chain that operates more than two dozen food halls in New York and worldwide. The company reported that their Manhattan retail location was hacked and malware was installed to capture payment card transaction data.
Another food industry case targeted a credit card processor and POS vendor for wineries, Missing Link Networks Inc. Their consumer-direct sales platform, eCellar Systems was breached, leaking customer names, credit/debit card numbers, billing addresses, and dates of birth, as KrebsonSecurity.com reported.
This isn’t the only POS vendor that has disclosed a breach - Information Systems & Supplies reported a hack that leveraged stolen credentials for their LogMeIn remote access application. Yet another POS vendor, Signature Systems was hacked with the use of stolen credentials, allowing an attacker to remotely access POS systems of their clients, which included Jimmy John’s.
When it comes to hospitality, the White Lodging Services Corporation, a hotel management company, was breached twice, once last year and again early this year. The breach affected POS systems at hotel restaurants and lounges across the U.S. Criminals also targeted the rewards programs associated with Hilton hotels by brute-forcing individual account passwords and gaining access to customer accounts tied to their credit cards.
The conclusion is, remote access credentials appear to be a common theme among most POS breach cases, which calls for a specific technical approach to eliminating this risk and the liability of weak authentication security for remote application logins.
With two-factor authentication, POS vendors and other companies in the retail industry can stop the threat of unauthorized remote users by adding another layer of security to their logins. After logging in with a username and password, users will need to approve a second request to verify their identity, typically via their mobile phone. Without the device, malicious hackers are denied access to your payment card systems and customer data.
Want to learn more? Check out our Modern Guide to Retail Data Risks, or watch a webinar on PCI DSS 3.0.