By Nicholas Ibenu
The rising trend in data breaches continues to angle upwards and, as a result, there has never been a more precarious time in history to launch and maintain a successful business. In other to prevent the recurrence of mistakes that result in data breaches, we have to stay updated with current information awareness regarding new techniques employed by cybercriminals to compromise credit and debit cards.
According to the latest IBM data breach report, the global average cost of a data breach is $3.26 million—up 6.4 per cent from 2017. Data breach costs increased significantly year-over-year from the 2020 report to the 2021 report, increasing from $3.86m in 2020 to $4.24m in 2021 (an increase of $380,000 representing a 9.8% increase). The average cost for each lost or stolen record containing sensitive and confidential information is $161, an increase from $146 per lost or stolen record in the 2020 report year. This compares to a decrease of 1.5% from the 2019 to 2020 report year.
Point-of-sale data breaches are a serious concern for businesses that can lead to a lack of trust from consumers and a crippled system that could cost a fortune to fix. A magnetic stripe card is a type of card capable of storing data by modifying the magnetism of tiny iron-based magnetic particles on a band of magnetic material on a card. Magnetic stripe cards are commonly used in credits cards, identity cards and transportation tickets.
The point of sale or point of purchase terminal, on the other hand, is a hardware system for processing card payments at retail locations. Software to read magnetic stripes of credit and debit cards is embedded in the hardware. When a credit card is used to pay for something, a conventional POS terminal first reads the magnetic stripe to check for sufficient funds to transfer to the merchant and then makes the transfer.
The sale transaction is recorded and a receipt is printed or sent to the buyer via email or text. Merchant can either buy or lease POS terminals, depending on how they prefer to manage cash flows. At the point of sale, the merchant calculates the amount owed by the customer, indicates that amount, then prepare an invoice for the customer and indicate the option for the customer to make payment. The point of sale is often referred to as the point of service because it is not just a point of sale but also a point of return to customer order. POS terminal software may also include features for additional functionality such as inventory management, customer relationship management, financials or warehousing.
In recent updates, several reports have surfaced about data breaches impacting millions of consumers. Many of these data breaches involve a business’ point of sale. The main objective of point of sale breaches is to steal your 16-digit credit card numbers. 60 per cent of POS transactions are performed via credit card, which means big business for cybercriminals, and individual credit cards can be sold for up to $100 apiece on the dark web. The industries most affected by POS data breaches are usually restaurants, retail stores, grocery stores and hotels.
As humans’ dealings with cash transactions are increasingly submerging, the adoption of POS services becomes very prevalent and one of the most obvious compelling reasons is that POS system does away with the need for price tags. Selling prices are usually linked with the product code of the item when adding stock so the cashier only has a few jobs to do—to scan this code and process the sale of the product. If there is a price change, this can also be easily done through the inventory window. Other advantages include the ability to implement various types of discounts, loyalty schemes for customers and more efficient stock control, these functions are usually typical of almost all modern ePOS systems.
As the advantages of the electronic transactions of POS continue to trend, cybercriminals have also developed gateways to infiltrate this development. According to a report published from bleep computers, December 2021 shows that credit card info of 1.8 million people was stolen from sports gear sites.
Exploiting a POS system is similar to a vulnerable computer intrusion. Cybercriminals gain access to the system by installing a monitoring device called BlackPOS. BlackPOS is spyware created to steal credit and debit card information from the POS system. The BlackPOS gets into the PC with stealth-based methods and steals information to send to some external server.
Small and medium-sized businesses are easy targets for cybercriminals because they are simpler for these criminals to access and generally have more lax security and policies than a larger corporation. The POS systems that these companies use to ring firms up are basically computers that often run on Windows and are susceptible to the same threats that a regular Windows-based computer is vulnerable to. The credit card data is first stored on the machine, unencrypted for processing purposes. When malware finds its way onto the machine, it goes after the unencrypted stored payment information. The malware collects the data and then sends the information to a remote server.
With so many threats to POS systems, as well as the amount of new malware being created, the uproar of data protection becomes challenging. That’s why retailers and business owners must take special precautions when it comes to the use of credit and debit cards in the POS system.
Attackers could gain access to the devices to manipulate them in one of two ways. Either they’re able to physically gain access to the POS terminal or they’re able to remotely gain access via the internet and then execute arbitrary code, buffer overflows and other common techniques that can provide attackers with an escalation of privileges and the ability to control the device, see and steal the data that goes through it.
Remote access is possible if an attacker gains access to the network via phishing or another attack and then moves freely around the network to the POS terminal. Ultimately, the POS machine is a computer and if it’s connected to the network and the internet, attackers can attempt to gain access to and manipulate it like any other insecure machine.
In order to protect against attacks exploiting POS vulnerabilities, it’s recommended that retailers using the devices ensure they’re patched and up to date, and they should avoid using default passwords where possible.
It is also recommended that, if possible, POS devices are on a different network to other devices, so if an attacker does gain access to the network via a Windows system, it’s not as simple for them to pivot to the POS devices.
The POS systems run on a modified version of Windows, meaning that the computer can be vulnerable to attack like other Windows devices. And while most Windows systems on a network should be receiving regular security patches to ensure they can’t fall victim to attack, it’s all too easy for the POS terminal to be forgotten about.
A report by the Information Commissioner’s Office pointed to “systematic failures” in how the retailer safeguarded personal data and managed the security of its networks including the failure to patch systems against known vulnerabilities. (Verizon’s 2015 Data Breach Investigations Report reveals that POS-related incidents accounted for 28.5 per cent of all breaches that happened in 2014). The common mistakes that can be made by small business owners when it comes to protecting their customers’ user data—for example, storing it in the same location where the encryption information is stored—makes it very easy for hackers to access all the data that they need with a single swipe. A simple solution to this would be keeping the encryption data separate from the user data.
Another mistake is using a corporate network for sending security and system updates to all POS devices. This is a common practice that puts a lot of businesses at risk. It is extremely easy for hackers to gain access to computers, networks and POS systems when corporate networks are not protected by professional security set-ups. For small businesses, a good solution is opting for multifactor authentication systems and never to run the POS systems on the public WiFi network.
Some of the best practices to secure your system and prevent a POS intrusion is to install antivirus software to constantly scan for viruses or malicious files; use encryption (in the event that cyber thieves installed payment-stealing malware onto the retailer’s POS system, this tactic often disguises data as it’s shared across networks, which makes it extremely difficult to hack); monitor terminals with video surveillance to take surveillance across all POS terminals to prevent skimmers on your POS terminals; secure your network to prevent POS intrusions; secure all networks with a strong password and consider setting up a segmented connection for even more protection; implement a POS monitoring service to identify cashier infractions as they happen by sending video clips and POS data based on the exceptions specified, like a cashier in and out, drawer openings without a sale, etc. Physically secure your POS device to receive immediate notification in the event of a break-in; keep all POS software up to date, and teach employees how to spot suspicious activities.
*Ibenu, an Assistant Professor of Computer Science at Escae-Benin University of Science and Technology, writes from Lagos, Nigeria.