Unless you’ve been living down in the bat cave, you’ve heard about the theft of more than five million credit cards from Lord & Taylor and Saks Fifth Avenue. This is being called one of the largest attacks ever on a retailer and is putting increased focus on defensive measures against hacking of credit card data. Before this can happen, organizations need to understand why point-of-sale (POS) systems are vulnerable to attacks.
At the end of the day, a POS system is a computer system. Just like any other endpoint, it is subject to malware and organizations try their best to keep it secure. Most use antivirus. Many also take extra precautions to protect high risk workloads like credit card transactions, deploying more stringent security controls such as whitelisting and file integrity monitoring.
Even so, POS systems AREN’T SAFE. Cybercriminals can easily bypass all of these protections. Here’s why:
Antivirus on the POS system – Antivirus protection, even the next-generation kind, can’t protect against all unknown malware. I’ve written a blog called the Evolution of Endpoint Security that explains why, so you can refer to this for additional details.
Application Whitelisting on the POS system – The goal of application whitelisting is to control what software can run on a POS system – so called whitelisted applications – and block everything else. Maintenance wise, whitelisting is usually better suited for POS system protection than for endpoint protection because POS systems have fairly static environments that don’t require a lot of application updates.
However, whitelisting doesn’t provide the degree of POS system lock down that many believe it does. Attackers can get around this security control by corrupting the whitelist or by exploiting a vulnerability in a whitelisted application. The latter is exactly the technique used by LockPos, point-of-sale malware that injects malicious code into a remote process.1
Plus, application whitelisting isn’t effective against fileless malware that exists only in memory rather than installed on the POS system’s hard drive. For example, RAM-scraping malware is able to access card data while it is being processed in system memory in an unencrypted form.
File Integrity Monitoring (FIM) on the POS System – FIM is a security control that validates the integrity of operating system and application software files by comparing the current file state against a known, good baseline. FIM provides continuous information about change events in files and helps organizations comply with the Payment Card Industry Data Security Standard (PCI DSS) requirements 10.5.5 and 11.5.
FIM, just like application whitelisting, doesn’t address fileless attacks, indicating a huge opportunity for hackers. The group behind the Lord & Taylor and Saks Fifth Avenue JokerStash, also known as FIN7, is already ramping up their use of this technique.2
OS-Centric Positive Security – We recommend a layered security approach to protect POS systems. OS-Centric Positive Security works seamlessly with POS security controls to shield these systems from new, unknown and fileless malware, zero-day exploits and advanced persistent threats. It offers Threat-Agnostic Defense, protecting POS systems regardless of the attack vector, type of attack or how, where, or when an attack penetrates an organization.
