In POS Security: Lessons for Every Business Employing Such Systems we show how important it is for a retailer or any type of business processing credit card payments to fully understand how POS systems work and the security risks.
In this article, we’ll cover POS attack vectors and ways to detect and even prevent them. There are several ways someone may attack a POS, and we’ll analyze them one by one.
1. Attack on the POS device
This attack requires physical or Internet access to the POS.
1.1. Attacks on specialized devices
For specialized devices, the attacker could replace the existing firmware with malicious firmware. Once the credit card transaction is processed, it will store a copy of the credit card information. Then this data could be uploaded to a remote server or copied to the local storage.Such attacks require physical access to the device and, in some cases, disassembling the device. It could also be done by replacing the device altogether. Of course, such attacks could only be performed by the personnel having the required access and tools – service personnel, in most cases.
Firmware is another minor issue. While it requires a lot of skill to retrieve and modify existing firmware, and find a way to upload it, there are a number of black market hacker groups offering such “services” for a fee, or for a share of “profits”. This typically means that certain percentage of the retrieved credit card numbers is kept by the hackers providing the modified firmware as payment for their “services”. Some groups even offer a turn-key service, such as “install our firmware and get paid”. This approach is even more dangerous as it lures people with a continuous flow of “easy money” for a one-time job. Of course, nothing would prevent those criminals from going back on their promise – after all, it is unlikely this kind of agreement would be enforced by the court. Also, the hacker may prevent the standard way of updating or restoring the original firmware. As a consequence, it would prevent the service worker to get rid of it without exposing themself to the crime.
New smartcard POS readers come with additional risks. The newer readers can be reprogrammed to copy the collected credit card information and transfer it into the chip of a special credit card. This way the POS does not expose any illegitimate traffic, and may be completely impossible to diagnose.
1.2. Attacks computers running POS software
Attacking computers is much easier than attacking specialized devices. After all, malware writers have been doing this for over twenty years now, and have developed significant experience. This experience could be used to break into the POS machine, infect it, connect to the remote server, and send the data to it. The only new experience needed is to access the actual credit card information.
Most malware use simple memory scraping to steal credit card information. It appears that most POS software reads the credit card tracks into memory and stores it unencrypted for long enough time. This allows the malware, running in the separate process, access the memory of the POS process, and retrieve the credit card numbers. Since this involves no modification of the original process, this activity will likely go unnoticed for really long time.It is also possible to patch the processing software, or even completely replace it with different software. Since the POS software is just an application running on a computer, typically with no hardening or verification, this is easy to do. This would allow the attackers to implement any functionality they want, such as: processing certain fake cards, issuing fake receipts that could be used to obtain refunds for non-purchased merchandize, and asking the customer additional “verification” questions such as date of birth, social security number, or zip code. This is difficult to achieve for a hackers attacking generic POS, since each POS device has a different user interface and functionality. But if the attackers target a specific store running a single, uniform version of the software, it can be done.
The same approach can apply to specialized devices. Dedicated malware applications are available on the black market and could be purchased and modified as needed. There are ready-to-use binaries that are available to people who can install them on POS machines for a share of profit. This means that, for example, criminals can infect the POS even without possessing any technical knowledge about how to write malware, or how to monetize the stolen credit card data.
2. Attacks on the communication between the POS and the acquirer
Instead of breaking into the POS device or devices, the attackers can target the network connection between the POS and the acquirer. This attack typically requires physical access to the POS network or network control infrastructure, but it does not require access to the actual POS devices.If the encryption protocol is not implemented properly (or, worse, not implemented at all), the attacker can get the credit card data right off the wire, without breaking into or modifying anything. In the worst case, the POS connects to the Internet through Wi-Fi, so not only the data is being sent unencrypted, but it is also being sent over the air, making it available to anyone with a Wi-Fi traffic sniffer.
Obviously, this is a borderline case and most (hopefully all) vendors do not make it that simple for hackers. Even vendors implementing proper security measures may be in danger. While the security measures were effective at the time of implementation time, the advances in cryptanalysis and the exploits found in secure communication protocols since the installation can make them ineffective. For example, several major security flaws were recently found in a very popular open-source security library OpenSSL.
These would allow an attacker to compromise the traffic encryption keys and therefore use a sniffer on an otherwise secure connection.The main danger of this attack is that it can go unnoticed for long time. It can survive POS software upgrades and even device upgrades, unless the new software uses a completely different encryption scheme. Also, it does not require access to actual POS devices, and therefore may be performed by someone visiting the store – even by customers who can plug a small computer into an available Ethernet socket connected to the local network. The specialized malware could be obtained from cybercriminal network.
A subset of this attack could also be performed through the technology called DNS spoofing, when the hacker replaces the acquirer IP server address with the address of a rogue server. This would essentially force the POS software to communicate with the rogue server instead of the acquirer, which would then allow – if the encryption is broken – to spoof credit card data, or even replace the authorization responses. The danger is that it doesn't even require the attackers to be in the same country as their target! If the POS speaks a known or reverse-engineered protocol, connects to the server by its domain name, and does not authenticate the server, all the attacker needs to do is to replace the DNS entry for the acquirer server, and set up the proxy, which could be somewhere in a remote country where the computer crimes committed by its citizens in foreign states are rarely prosecuted.
Another attack could be performed on phone-based POS devices through a special device emulating the phone line, and dialing a different number when the device tries to dial the acquirer. The software on the opposite side acts as man-in-the-middle, snoops or modifies the traffic. Encryption seems to be rare for phone-based POS, so the attacker usually gets raw data.
3. Attacks on the acquirer server
A much less common, but still possible, is an attack on the acquirer's processing server. The obvious benefits here are that the server is processing transactions from a large number of merchants. This would allow the attackers to access credit card information from not only one merchant, but several, without coming even close to their premises.Those attacks however are much harder to perform, because the processing companies are typically better at security than retail shops. So those servers are much more likely to run up-to-date software, and be periodically checked for breaches and protected by the quality security solutions and appliances.
Want to learn more about POS attacks and ways to protect against them?