POS Remote Access Software: Vulnerable Without 2FA
Breaches of card data and point of sale systems often involve remote access management tools - attackers may scan the Internet for remote administration software, then use automated tools to break into systems protected only by weak passwords. It’s important to remember that the security practices of your third-party POS software vendors, resellers and subcontractors can affect your security health.
Default Credentials Lead to POS Software Breach
One example is poised by KrebsonSecurity.com which involves the exploitation of car wash point-of-sale software, specifically, Symantec’s pcAnywhere software that allowed for remote access. In particular, the attackers exploited a set of default credentials that allowed them remote access into their POS software, allowing them to steal credit card numbers.
While default passwords guarding any type of application or login is a basic security issue, pcAnywhere has a checkered past when it comes to security, rendering it not ideal for use with any system dealing with sensitive information such as credit cardholder data. Read more about the dangers of default passwords in Default Passwords: Breaching ATMs, Highway Signs & POS Devices.
Back in 2012, the company advised users to disable the remote access tool after the software’s source code (dated in 2006) was accessed and publicly posted online. While the company released security patches to deal with the issue, not everyone updated their software, leaving them vulnerable to a possible attack, according to PCMag.com. Another security company reported that even patched versions may be vulnerable.
This shows the ineffectiveness of software developed and left unchanged for too long - an outdated software tool can lend itself to being vulnerable to authentication threats. According to Krebs, the breached car wash companies were running the older, unpatched versions of the remote access software, leaving them susceptible to security threats.
And, according to the US-CERT, certain types of malware targeting POS software include exploitation of default passwords and remote access, proving that the use of these types of POS remote software isn’t exactly ideal:
Researchers surmise that Dexter and some of its variants could be delivered to the POS systems via phishing emails or the malicious actors could be taking advantage of default credentials to access the systems remotely, both of which are common infection vectors. Network and host based vulnerabilities, such as weak credentials accessible over Remote Desktop, open wireless networks that include a POS machine and physical access (unauthorized or misuse) are all also candidates for infection.
In fact, US-CERT also recommends updating POS software applications, a basic when it comes to best security practices:
Ensure that POS software applications are using the latest updated software applications and software application patches. POS systems, in the same way as computers, are vulnerable to malware attacks when required updates are not downloaded and installed on a timely basis.
POS Vendor Breach Affects Multiple Franchises
Down the stream, vendors, resellers and even subcontractors can be harmful to your security health. POS and security systems provider Information Systems & Supplies Inc. (ISS) recently notified their food industry clients that card data may have been exposed, as BankInfoSecurity.com reports.
As an independent reseller of POS products sold by a software vendor that lists Dairy Queen, Buffalo Wild Wings, Taco Time and others as clients, it is possible they may be affected, although not yet confirmed.
ISS was breached when yet another company’s remote access credentials were compromised, those of their remote access and systems management provider, LogMeIn. The Boston-based file sharing and data backup company reports they may have been breached via a phishing attack.
ISS reports that they changed all of their LogMeIn credentials, as well as added a secondary unique password, as reported in a letter sent to their customers.
However, there’s no word on what kind of ‘secondary unique password’ they added, and it may not be much more secure to employ two passwords on their account. What they (and other organizations concerned about security) should consider is adding a second factor to their account logins that conducts authentication over another network or channel separate from the primary network or channel.
With a two-factor authentication mobile app, you can leverage the use of a separate network to verify your identity, allowing for greater security - without possessing your actual device, remote attackers won’t be able to access your accounts remotely.
Read more about retail and POS security in:
Default Passwords: Breaching ATMs, Highway Signs & POS Devices
Target Breach: Vendor Password Exploit