Why POS systems continue to compromise consumer data

Every day, with every swipe of a credit card and every voluntary disclosure of personal data, individuals are putting themselves at risk.

An immeasurable number of organizations have sensitive personal data, such as credit card info, on file. But the reality is, nothing from the staples of American strip malls, such as Target, Home Depot, Whole Foods and Sonic, to mom and pop shops are safe from breaches.

Point of sale (POS) system breaches continue to dog retailers and customers, despite many industry best practices. Large swathes of credit card data make POS systems an appealing and highly profitable target for hackers, and companies need to fortify their bottom line security to avoid the common mistakes that result in most breaches.

Like a hacker in a credit card candy shop

Retail, hospitality and restaurant businesses, among others, use POS software to track sales, cash flow, inventory and other related data. No modern sales-based company can operate solely with a traditional cash register thanks to the rise of credit cards and digital payments.

But the average consumer would be hard pressed to find a single one of their cards which has not been used at a merchant with a compromised POS system. "Organized crime gangs have so completely overrun the hospitality and restaurant point-of-sale systems here in the United States that I just assume my card may very well be compromised whenever I use it at a restaurant or hotel bar/eatery," said Brian Krebs in his review of the 24x7 Hospitality Technology POS breach.

In fact, approximately 23% of breaches take place through a POS system, according to Stephen Boyer, CTO and founder of BitSight Technologies, which rates companies based on cybersecurity performance. But merchants are not always immediately at fault for a breach.

POS systems are often contracted out to third-party providers, which lessens the IT burden on a company but places security in the hands of an outsider. Based on varying estimates, roughly 60-70% of POS breaches involve a third party, according to Boyer.

In recent years, the breaches of 24x7 and Oracle's MICROS POS system demonstrate how dangerous these incidents are, as shown by Krebs on Security's analyses of the events. MICROS, for example, is deployed at more than 330,000 hotel, retail and food and beverage sites across 180 countries, including Starbucks, Hyatt, Hard Rock Café, Godiva, Ikea and Adidas.

"Once you go after Micros, well you don't have to go after 330,000 sites individually, you go after one. And then you have tremendous leverage to get access across many different companies and organizations," said Boyer.

Relative to other cybercrimes, POS breaches with card data are among the easiest to monetize. Once a system is breached, hackers typically sell card data in card shops and other underground forums, according to David Mainor, principal threat intelligence analyst for FireEye.

The last few years have seen a shift in how cybercriminals monetize breaches. "Since 2015, when cyberextortion kind of became like a flavor of the month which turned into a more prolonged tenure, we do see at least a small subset of cybercriminals who actually monetize illicit access by extorting victim organizations," said Mainor.

Such extortion is not limited to POS providers and retailers, as many hackers are expanding their targeted populous. The Dark Overlord hackers, for example, progressed from extorting healthcare organizations to state and local government entities and organizations in the education vertical, according to Mainor.

Hackers are also getting more than just credit card numbers. Sale transactions often involve personal emails, zip codes or entire addresses and names. As more PII is spread across POS systems vulnerable to attack, individuals are at ever more risk.

Fruitless or fruition?

Protecting against POS attacks reiterates many of the themes brought up in the recent Equifax breach.

"It just takes one gap. An attacker only has to exploit a single gap and then they're in," said Boyer, and that one gap is, more often than not, the result of an overlooked detail, failure to update or human error.

It is therefore up to companies to ensure that basic execution is practiced every day, including updating systems, training employees, understanding what risks are and closing vulnerabilities to manage different degrees of risk, according to Boyer.

One of the best ways for organizations to limit potential impacts is network segmentation, which separates the corporate network from the card data environment accumulated through the POS system, said Mainor. Without the systems tied together, companies are less susceptible to spear phishing emails, which are often the source of these breaches.

When third-party POS providers come into the mix, the company bears the burden for due diligence to ensure their security requirements are being met. The onus for security ultimately begins and ends with the company itself.

Companies need to be able to quickly identify an intrusion, measure its depth and breadth and clean it up. The 24x7 Hospitality breach spanned months, and when hackers have that long to siphon off credit card data, it makes the impact of the breach worse, said Boyer.

Breaches hitting the headlines weekly are giving consumers malaise, but increasingly sophisticated hackers and attacks will only continue to make things worse. "It is an evolving threat. We don't think its going anywhere, despite some of the headway that has been made with encryption technology," said Mainor.