Cybercriminals targeting point-of-sale devices

Even with PCI regulations, smaller retailers face challenges in security credit card transactions

Point-of-sale payment processing devices for credit and debit cards are proving to be rich targets for cybercriminals due to lax security controls, particularly among small businesses, according to a report from Trustwave.

Trustwave, which investigates payment card breaches for companies such as American Express, Visa and MasterCard, conducted 220 investigations worldwide involving data breaches in 2010. The vast majority of those cases came down to weaknesses in POS devices.

"Representing many targets and due to well-known vulnerabilities, POS systems continue to be the easiest method for criminals to obtain the data necessary to commit payment card fraud," according to Trustwave's Global Security Report 2011.

POS devices read the magnetic stripe on the back of a card that contains account information, which is then transmitted for payment processing.

Although there are rules for security controls that developers should use for the devices, such as the Payment Application Data Security standard (PA-DSS), Trustwave said that "these controls are rarely implemented properly."

Further, many small businesses rely on third-party integrators to support the POS devices. But those integrators often have poor security practices. In 87 percent of the breach cases it studied, the integrators make mistakes such as using default credentials in operating systems or with remote access systems, Trustwave said.

"In our experience, many POS integrators are often not skilled in security best practices, leaving their clients open for attack," the report said. "For instance, our investigations often uncover deficiencies in regards to basic security controls, such as the use of default passwords and single-factor remote access solutions."

POS devices are an attractive target for cybercriminals since the data they access from the cards is more complete, Trustwave said. For example, an attack against an e-commerce website may yield a credit card number and the card's expiration date -- information that can only be used in so-called card-not-present fraud, such as buying goods on a website that never sees the physical card or its magnetic strip.

But POS devices collect the full magnetic strip, which makes it possible, for example, to encode that information on a dummy card for use at an ATM machine or a retailer.

Retailers have been increasing their compliance with the Payment Card Industry Data Security Standard (PCI-DSS), a code of best practices created by the card industry. It forbids, for example, the storing of magnetic strip data on POS terminal and mandates the use of encryption.

But in 2010 Trustwave discovered new malware targeted at POS applications, one of which was capable of extracting that encrypted data.

"The POS-specific malware is the most sophisticated malware we have seen, and similar to the ATM malware we saw in 2009, as it requires deep knowledge about the workings of the POS application," Trustwave wrote.

Even though PCI-DSS is well established in North America and Europe, "these mandates are just beginning to take hold in other regions," Trustwave wrote. "For example, Latin America and Asia Pacific still lag behind other areas of the world in the identification and acknowledgement of a data breach, which adversely affects the global effort to combat attacker behavior."

Send news tips and comments to jeremy_kirk@idg.com

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags frauddata protectiontrustwave

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?