RSA 2015: Point-of-sale system security is lacking
FighterPOS malware strikes over 100 terminals in Brazil, captures info for 22K cards
“In most POS breaches you read about in the news, or perhaps you don't read about in the news, the vulnerabilities that are exploited and cause the breach are relatively simple,” Charles Henderson, VP of Managed Security Testing with Trustwave, said. “They're easily preventable things.”
In some instances it is a matter of poor physical security, such as bad locks and easy access to ports, which gives attackers direct access to the systems. Other times the issue is a lack of updated antivirus software, using symmetric encryption over asymmetric encryption, or using default passwords.
In an example, Henderson said that the default password for all products by one unnamed vendor is ‘166816,' or ‘Z66816,' and has been since 1990. He explained that, when tested, 90 percent of these terminals still have that code.
“If this is your POS password, please change it,” Henderson said.
Henderson and Byrne also talked about how allowing software to be able to run on POS systems only opens the door for devices to be infected with malware, such as Backoff and - more recently - Punkey. Henderson said that looking for malware signatures is a step in the right direction, but he indicated that it is not enough - users need to remain proactive in order to stay ahead of threats.
Some key takeaways: do not store payment card data on registers, enforce strong authentication policies, do not run POS systems as administrator, keep systems patched and antivirus signatures current, and use strong authentication.