A Handy AVPS Guide to Point-of-Sale Security. Pt. I: Remote Access

In our current climate of “hackery” and security breaches, the number of alerts and advisories going to out to companies like ours is on the increase. Many of these have valuable information that we feel should be passed along to our customers, so they can use these ideas, deploy them, to keep their own transactions — and their customers — as safe as possible.

pos hackingHaving recently received one such alert from a major card issuer, we hearby present a two-part guide to making sure your payment systems, and the electronic “chain of command,” are as safe as they can be in our shifting digital landscape.

This week, we focus on the “remote access” part of that chain.

There are, for example, many “remote access solutions” throughout the industry often used by retailers, especially those with multiple points-of-sale, to provide management and support, such as  LogMeIn, PCAnywhere, VNC, and Microsoft Remote Desktop, to name a few. While these can all be helpful when used correctly, they can provide the very “backdoor” that cybercriminals are looking for, if misused.  This risk increases noticeably your remote access applications aren’t configured to comply with the Payment Card Industry Data Security Standard (PCI DSS).

Common examples of such vulnerabilities — allowing those cybercriminals to gain access to your POS environment — include:

*Remote access ports and services that are always “on” via the Internet. A hacker can perform a port scan against the merchant’s own IP address, to find “soft targets,” and security lapses. Often, such remote applications run on well-known, or easy-to-predict, ports.

*Outdated and un-patched software. Older versions of applications, software, and even operating systems can eventually see their security “time out,” especially if patches and updates aren’t routinely applied.

*Using default, or simple passwords — or no password at all!  When installing new hardware or software, be sure to change passwords from any “default” password provided, and be sure passwords are unique and hard-to-guess. You’d be surprised how many aren’t. You might even more surprised at how many seemingly “secure” applications are used with no passwords, because they’re never installed!

*Use of common usernames and repeating passwords. Related to the above, sometimes merchants, or vendors, will use common, or repeating, usernames or passwords at multiple locations. Meaning that cybercriminals only need to crack one of them, once, to get in to the whole system.

*Single-step authentication. Often, “brute force” attacks can crack password-only protected systems. If your authentication system requires an additional step beyond username and password, many of these can be thwarted.

*Improperly set-up firewalls. Sometimes the very “firewall” that you think is protecting you is improperly configured or set up. Sometimes the POS system will even have a public IP address that can be directly accessible from the Internet, just like the ports we mentioned in our first bullet point!

Basically, with each of these “cascading” vulnerabilities, attacks have worked like this:  Compromised usernames and passwords were used in conjunction with remote management software left vulnerable on the Internet.

A similar pattern to recent such POS attacked suggest a single individual, or group, may be behind numerous attacks.  Once inside the merchant’s network, the cyber-intruder can then disable other anti-virus software, and install their own “malware,” which establishes that previously noted “back door” to the system.

In such systems where payment cards are used, the malware will capture relevant data — often directly from the POS system — and the extracted data is then “brought to market” on numerous “black sites” where such information is bundled and sold.

Don’t let your information — or your customers’ — be part of such a breach! Next week, in Pt. II, we’ll go over the steps you can take to mitigate security lapses and bolster your own “defenses.”

And of course, a good first step, as always, is to
contact your AVPS Rep, to make sure you’re as up-to-date as possible on software, security patches, card readers, and more!  

It’s summer, so play safe. And no matter what the season: “sell safe,” too!

Leave a Reply

Your email address will not be published. Required fields are marked *