Blog · 11 Dec 2017

Don't let your PoS be a Point-of-Steal

There are now more ways to pay for things than ever before, which is great for shoppers. But for the cyber-criminal, it just means more opportunities to steal.

Head of Customer Innovation: Energy, Resources and Manufacturing, BT.

More opportunities to steal? 

When we go shopping these days, whether it’s online or on the high street, we don’t leave just our cash behind. We also leave vast amounts of data: credit card details, names, addresses, email, personal information, and so on. Retailers encourage this because it helps them pinpoint their marketing spend and build our loyalty.

Trouble is, cyber-criminals love this stuff, too. Our data is all they need to steal our identities, set up fraudulent accounts, and go on an everything-in-the-basket shopping spree. And here’s the rub: the more new, easy ways we find to pay for stuff using new technology, the more ways that cyber-criminals find to steal data and cause mayhem.  

Double trouble, data theft and ransom demands

There are two main threats facing retailers on the digital security front: data theft and ransomware.

Let’s look at data theft first.

Point-of-Sale (PoS) malware specifically targets the memory of your PoS devices. The malware reads the memory and steals the credit (or debit – it’s not fussy) card details directly from the device. It’s a process called ‘RAM scraping’ and happens incredibly fast, with the malicious malware darting in to steal the data during the few seconds when the transaction is actually happening.

But how does the malware get there in the first place? Well, an employee often inadvertently invites it in, is the simple answer.

Good to talk? Depends who’s calling …

Social engineering is one of the oldest tricks in the conman’s book. Where criminals used to phone your contact centre and hoodwink the agent into giving up confidential information, like a customer’s account number or address, they now use the digital equivalent – the phishing email.

The problem here is that, although you may have what looks like a watertight security policy in place, it’ll soon spring a leak if your employees don’t stick to it or understand it. And because the retail industry is characterised by a high proportion of employees with little technical experience, educating your workforce about how to spot and deal with a phishing email is vitally important.

On saying that, though, it looks as if these types of data theft attacks may be on the wane: the adoption of EMV (Europay, MasterCard, and Visa) chip-enabled PoS systems and the widespread implementation of PCI-DSS (Payment Card Industry Data Security Standards) have seen an 88 per cent reduction in new malware variants, according to SonicWALL.

That’s the good news. The (very) bad news is that ransomware attacks have gone in the opposing direction, fast. In just one year, 2015-16, they increased by a factor of 167 (no, that isn’t a typo and it isn’t a percentage).

As far as cyber-criminals are concerned, ransomware is the new black art.

Holding business to ransom, literally

Retailers are vulnerable to ransomware attacks because website downtime is directly linked to profits. It’s a classic time-is-money scenario; the longer you hold off bowing to the criminals’ demands, the more you lose. Of course, as the 2017 attack on various NHS Trusts showed, ransomware attacks mean big trouble for everyone.

It’s essential that you have a 360-degree view of security. It’s not just your PoS, your internal systems, your IoT devices, and so on that you need to worry about. You must have sight of potential security breaches when you’re engaging with third parties. If a third party has access to your systems, you’ve got to be pretty damn sure that cyber-criminals can’t access your data and systems, either through using the third party as a conduit or by hacking your data from where it’s stored on the third party’s system.

You’re only as secure as the weakest point in your weakest supplier

Here’s a salutary tale for you.

In 2013, Target Retail found that a hacker had stolen data from 40 million debit and credit cards.

How had they done it?

Well, it wasn’t by hacking Target. No, they hacked Target’s air-con installation supplier, whose engineers used Target’s VPN (Virtual Private Network) to access their network remotely. The thieves simply stole the VPN credentials, logged into Target, and made off with a very large bag marked ‘Digital swag’ (OK, I made up the bit about the bag but you get the picture).  

Of course, protecting yourself against PoS malware and ransomware should be part of your standard security policy. And many retailers believe it already is. But, here’s the thing, Tripwire found that although 90 per cent of the retailers they interviewed said they could detect a critical data breach within a week, only 55 per cent of IT professionals said they checked security compliance ‘at least weekly’.


And it gets worse.  

Fifty per cent of the respondents reported that they ‘only partially or marginally implemented’ antivirus tools, intrusion detection systems, and whitelisting solutions over the last year.

Seven questions to stop you getting a ransom demand

So, you can see that there’s still a way to go before the retail industry even gets to first base when it comes to basic digital security. For starters, I suggest you ask yourself these questions:

  1. Do you have firewalls, even between networks?
  2. Are all your endpoints secure?
  3. Do you double encrypt your data (encrypting and then using SSL)?
  4. Do you have file integrity and monitoring software in place?
  5. Do you use two-factor authentication for all entry points and system configuration changes to the CDE (Cardholder Data Environment)?
  6. Do you monitor all network and data access?
  7. Have you made sure that only specific whitelisted apps are able to run in the system?
  8. Have you developed a segmentation strategy that includes any third parties you’re working with?

If you can’t answer ‘yes’ to every question, you’re effectively leaving your shop wide open every night.

Can you deal with the consequences?