The upward trend in data breaches continues to trend upwards and as a result, there has never been a more precarious time in history to launch and maintain a successful business. In other cases, to avoid repeat mistakes that lead to data breaches, we need to keep up to date with current information about new techniques used by cybercriminals to compromise credit and debit cards.
According to IBM’s latest Data Breach Report, the global average cost of a data breach is $3.26 million, up 6.4% from 2017. m in 2020 to 4, $24m in 2021 (an increase of $380,000 representing an increase of 9.8%). The average cost for each lost or stolen record containing sensitive and confidential information is $161, an increase from $146 per lost or stolen record in the 2020 reporting year. This compares to a decrease of 1 .5% compared to the reporting year 2019 to 2020.
Point-of-sale data breaches are a serious concern for businesses that can lead to a lack of consumer confidence and a crippled system that could cost a fortune to fix. A magnetic stripe card is a type of card capable of storing data by altering the magnetism of tiny iron-based magnetic particles on a strip of magnetic material on a card. Magnetic stripe cards are commonly used in credit cards, ID cards and travel passes.
Point of sale or point of purchase terminal, on the other hand, is a hardware system for processing card payments at point of sale. Software for reading credit and debit card magnetic stripes is built into the hardware. When a credit card is used to pay for something, a conventional POS terminal first reads the magnetic stripe to check if there are enough funds to transfer to the merchant, and then completes the transfer.
The sales transaction is recorded and a receipt is printed or sent to the buyer via email or SMS. The merchant can buy or rent a POS terminal, depending on how they prefer to manage cash flow. At the point of sale, the merchant calculates the amount owed by the customer, indicates this amount, then prepares an invoice for the customer and indicates the option for the customer to make payment. The point of sale is often called point of service because it is not only a point of sale but also a customer order return point. POS software may also include functionality for additional functionality such as inventory management, customer relationship management, finance, or warehousing.
In recent updates, several reports have surfaced of data breaches affecting millions of consumers. Many of these data breaches involve a company’s point of sale. The main purpose of POS breaches is to steal your 16-digit credit card numbers. 60% of POS transactions are made by credit card, which is big business for cybercriminals, and individual credit cards can be sold for up to $100 each on the dark web. The industries most affected by point-of-sale data breaches are typically restaurants, retail stores, grocery stores, and hotels.
As human transactions with cash transactions are increasingly overwhelmed, the adoption of POS services is becoming widespread and one of the most obvious reasons is that the POS system removes the need for ‘price tags. Selling prices are usually linked to the product code of the item when adding stock, so the cashier has little to do: scan that code and process the sale of the product. If there is a price change, this can also be easily done via the inventory window. Other advantages include the possibility of implementing different types of discounts, a loyalty program for customers and more efficient inventory control, these functions are generally typical of almost all modern ePOS systems.
As the benefits of electronic point-of-sale transactions continue to evolve, cybercriminals have also developed gateways to infiltrate this development. According to a report from Beep Computers, December 2021 shows that 1.8 million people’s credit card information was stolen from sports equipment sites.
Exploiting a POS system is similar to a vulnerable computer intrusion. Cybercriminals gain access to the system by installing a monitoring device called BlackPOS. BlackPOS is spyware created to steal credit and debit card information from the POS system. The BlackPOS penetrates the PC with stealth methods and steals information to send to an external server.
Small and medium-sized businesses are easy targets for cybercriminals because they are easier for these criminals to access and generally have more lax security and policies than a large corporation. The POS systems that these companies use to call businesses are essentially computers that often run Windows and are susceptible to the same threats that a regular Windows computer is vulnerable to. The credit card data is first stored on the machine, unencrypted for processing purposes. When malware enters the machine, it attacks unencrypted stored payment information. The malware collects the data and then sends the information to a remote server.
With so many threats to point-of-sale systems, as well as the amount of new malware being created, the hustle and bustle of data protection is getting tough. This is why retailers and business owners need to take special precautions when it comes to the use of credit and debit cards in the point-of-sale system.
Attackers could access devices to manipulate them in two ways. Either they are able to physically access the POS terminal, or they can access it remotely over the Internet and then execute arbitrary code, buffer overflows, and other common techniques that can provide attackers with escalation of privilege and the ability to control the device, see and steal the data passing through it.
Remote access is possible if an attacker manages to gain access to the network via a phishing or other attack and then roams the network freely to the point-of-sale terminal. Ultimately, the POS machine is a computer and if it is connected to the network and the Internet, attackers can attempt to access and manipulate it like any other unsecured machine.
In order to protect against attacks exploiting point-of-sale vulnerabilities, it is recommended that retailers using devices ensure they are patched and up-to-date, and avoid using default passwords as far as possible.
It is also recommended that, if possible, the POS devices be on a different network from other devices, so if an attacker accesses the network through a Windows system, it is not as easy for them to pivot to the POS devices.
POS systems run on a modified version of Windows, which means the computer can be vulnerable to attacks like other Windows devices. And while most Windows systems on a network should receive regular security patches to ensure they can’t fall victim to attacks, it’s all too easy for the POS terminal to be overlooked.
A report from the Information Commissioner’s Office highlighted “systematic failures” in the way the retailer protected personal data and managed the security of its networks, including failing to patch systems against known vulnerabilities. (Verizon’s 2015 Data Breach Investigation Report reveals that point-of-sale incidents accounted for 28.5% of all breaches in 2014). Common mistakes small business owners can make when it comes to protecting their customers’ user data (for example, storing it in the same location where encryption information is stored) gives hackers very easily to all the data that they need in one fell swoop. A simple solution to this would be to separate the encryption data from the user data.
Another mistake is using a corporate network to send security and system updates to all POS devices. This is a common practice that puts many businesses at risk. It is extremely easy for hackers to gain access to computers, networks and point-of-sale systems when corporate networks are not protected by professional security configurations. For small businesses, a good solution is to opt for multi-factor authentication systems and never run POS systems on the public WiFi network.
Some of the best practices for securing your system and preventing a POS intrusion include installing antivirus software to constantly scan for viruses or malicious files; use encryption (in the event that cyber thieves install payment-stealing malware on the retailer’s POS system, this tactic often disguises the data as it is shared across networks, making it extremely difficult to hack) ; monitor terminals with CCTV to provide surveillance of all POS terminals to prevent skimmers on your POS terminals; secure your network to prevent point-of-sale intrusions; secure all networks with a strong password and consider setting up a segmented connection for even more protection; implement a POS monitoring service to identify cashier violations as they occur by sending video clips and POS data based on specified exceptions, such as in and out checkout, drawer openings without sales, etc. Physically secure your POS device to receive immediate notification in the event of a break-in; keep all point-of-sale software up-to-date and teach employees how to spot suspicious activity.
- Ibenu, Assistant Professor of Computer Science at Escae-Benin University of Science and Technology, writes from Lagos, Nigeria
All rights reserved. This material and any other digital content on this website may not be reproduced, published, broadcast, rewritten or redistributed in whole or in part without the prior express written permission of PUNCH.
Contact: [email protected]