Point Of Sale systems security – Preventing and fighting evolving threats

A point of sale is defined as the time and place where a retail transaction is completed * . A point of sale system is a device/software where this transaction occurs. This transaction usually involves the use of a Debit card  / Credit card in conjunction with the point of sale system. Numbers of card payments transactions are estimated at Billions just in the United States *.  The year 2014 had many prominent retail  breaches that exposed sensitive information of millions of customers, this information came primarily from the compromise of Point Of Sale (POS) systems.
Fig 1.1 POS Systems
These POS systems have become a valuable and sought after target, driven by an underground ecosystem where the compromised payment card information is sold to anybody that can afford it. The people behind this market of stolen payment card data are called Carders. Carders may not necessarily perform the compromise of the information however, they validate, buy, sale or trade this information.
The compromise and exfiltration of  POS systems usually follows a chain of multi stage exploitation, entrenchment and post exploitation actions which eventually allows the exfiltration of payment card data. Research by  Dell Secureworks provides a visualization of how these chain of events takes place before making it to Carding forums.
Malware/Malicious code has to reach the perimeter or extended surface of an organization, to then make its way through by pivoting or lateral movement by exploiting systems or stealing credentials that allow access to the targeted systems, followed by a series of actions that include installation of remote access tools and code that allows payment card information access and extraction.
Fig 1.2 Relationship between compromised assets and attackers – Source Dell Secureworks
According to Brian Krebs, malicious actors have targeted self-checkout lanes as well, this in particular, makes it more difficult to check and put under scrutiny every customer that uses such machines. Following compromise the payment card information will eventually make it to sites on the internet or the dark web, where this information will be advertised.
Fig 1.2 Card dumps advertisement – Source
It is important to point out that in many of the prominent POS breaches, the companies affected were actually in compliance with Payment Card Industry standard. The Payment Card Industry Data Security Standard (PCI-DSS), is the de facto security standard for most companies that process card payment transactions and although the PCI-DSS framework does have good recommendations, it has been proven to be insufficient to prevent such compromises and not a good measure of how resilient an organization can be against POS system breaches.

Point Of Sale systems are usually facing customer and operated by non technical retail customer service or cashiers. These systems can be difficult to reach and service, they also need to be always up, some of them on leased hardware/software, rarely upgraded or patched and easily accessible by operators. These systems are also usually serviced remotely in part because of their large numbers, and distance in between many of large  or small retail locations.

The above conditions can pretty much explain why it is so difficult to protect these systems and its data. The relationship between cost benefit, operability, availability and user training, forces owners to do the best they can and harden their systems without losing revenue or spending too much in training of personnel with high turnover. It also forces them to rely on third party management in many cases.

The process of a retail transaction using a POS system also involves many participants as well including but not limited to, cardholder, merchant, software vendor, hardware manufacturer, gateway processor, acquirer, card brand, and issuer. The merchant is the most vulnerable part of this equation because it is facing the public directly in multiple locations and at multiple POS*.

On the second part of this blog series we will delve into the relationship of the above chain of elements with a multi contextual and evolving threat landscape.

Posted by