POS Security (1): Lessons for Every Business Employing Such Systems

Posted by George Yunaev on 2015-02-12 16:00:00

POS security is one term that we’ve been hearing for more than five years now. And its dark connotations only increased in intensity with the recent Target and Home Depot breaches that shook the two retailers to their core. But it’s not only high-profile retailers that should be wary of such attacks. Smaller companies – retail chains, restaurants and other types of business – in the US, Canada, Australia and Russia have had their POS systems breached in recent months.

So regardless of industry or location, if you have a POS system in place, or you’re considering employing one, you may become a target. To prevent this gloomy perspective, it’s recommended you fully understand how POS systems work, what types there are and the risks they present, as well as the basic security questions you need to ask a potential POS vendor when evaluating their solution.


How do POS systems work?

Generally, POS systems work the following way:

  • The amount to charge is entered into the POS (typed in by the cashier, entered by the pump or read from parking ticket);
  • The purchaser swipes the credit or debit card through a slot in the POS terminal;
  • The POS reads the credit card information and sends it to the processing (acquiring) bank, usually just called acquirer, together with the amount;
  • The acquirer contacts the credit card issuer's bank to see whether the card is valid and whether any credit is still available;
  • The acquirer reports back to the POS whether the transaction was authorized or declined;
  • The POS prints the receipt and optionally notifies the cashier.


What POS types are there?

There are many different POS types, ranging from very simple to powerful computers running Windows, and boasting a CPU power exceeding that of your average laptop. All of them are susceptible to attacks. But each type is attacked differently.

Bad news first. There is no POS type completely invulnerable to attacks. Every POS could be attacked, but the attack complexity and the requirements for it to be successful vary.

The POS terminals could be split in two general categories by platform type:

  • Specialized devices running a single program (firmware) which handles the only task of reading the card data, sending it to the processing bank, and printing the receipt. They usually offer very limited functionality.
  • General computers running a generic operating system: x86 or ARM-based computers running Windows, Linux or mobile OS such as Android or iOS. They can run generic applications, and the credit card processing is usually only a part of the device offering, which often comes with broader functionality, including: showing ads, processing store-issued gift cards and even accepting checks.

To process the transaction, the POS terminal has to communicate to the acquirer server in one of the following ways:

Through a phone line. This type of POS terminal does not use the Internet. Instead, it dials the acquirer's phone number, and sends and receives the information using a built-in modem (similar to how fax machines work). This setup is typically used by older standalone specialized devices.

Through the mobile Internet connection. The POS terminal has the CDMA or GPS module registered in the cell phone network and connected to the Internet through the mobile connection.

Through the internal network connected to the Internet. The POS terminal is connected to the internal network, which is connected to the Internet. This setup could range from a simple WiFi access point connected to a DSL provider, to a complex network interconnecting multiple POS terminals and servers, where the POS is connected to a server, which, in turn, connects to the acquirer.


Why would hackers target a POS system?

A POS system gives attackers two venues to monetize a POS attack:

  • Stealing credit card information

The most common and well known venue is to steal the credit card information. A modified POS could store the credit card data it read, and upload it to a remote location. This information is valuable for cybercriminals, so it could be sold on the black market and then reused to withdraw money or buy goods.

  • Faking the authorization

Less common, but still known venue, is modifying the POS to recognize a certain credit card. When this card is swiped, the amount is immediately approved and authorization is given without communication to the acquirer. Thus, it is possible for someone to purchase expensive items from a physical store without spending money from their card.


Get more details on these two methods and learn what security questions you should ask potential vendors if you are evaluating their solutions. Download whitepaper:

POS Attacks and prevention methods

George Yunaev

George Yunaev is a Senior Software Engineer at Bitdefender. He joined the company's OEM Technology Licensing Unit in 2008, after working at Kaspersky Lab for seven years. Aside from developing SDKs for various OEM solutions, George is also providing partners and prospects with useful insights into emerging threats and potential pitfalls of technology licensing. His extensive software engineering experience of 19 years also covers reverse-engineering and malware analysis. He is based in Silicon Valley, California, and enjoys traveling and active sports such as skydiving and wakeboarding.

Topics: Threats, Network Security, Endpoint Security