It’s common to think of malware as primarily targeting databanks; while that’s definitely true, hackers also commonly attack Point of Sale (POS) systems. This could be hardware-based, such as tampering with the physical device that consumers swipe their cards through, or could be an attack on the data that’s captured with that swipe from the software side. POS systems are used so frequently that it’s rare for a person to think twice about safety concerns when using one. Yet the recent Target security breach is an excellent reminder that it’s always wise to take extra precautions, no matter how large or small the retailer might be.
Understanding POS Vulnerabilities
As the credit or debit card is swiped through the POS, the data stored on its magnetic strip is transmitted for processing. The types of available data are broken into Track 1 and Track 2 (there is also Track 3 data, but this is rarely used). Both Track 1 and Track 2 data contain sensitive information like account number, credit card number, cardholder name and expiration date. If one track is unreadable due to hardware/software limitations or physical card damage, then the other track may be used.
There are a two basic ways hackers target POS systems:
- Skimmers are physical devices that are attached to the POS system. An example of this would be a false card reader installed over the top of the actual card reader. This allows cyber hackers to easily harvest pertinent data, which can be used for fraudulent purchases and other activity.
- Malicious software collects cardholder data in its raw form from the back end rather than using physical means. This is possible because POS systems typically require some type of connection to the Internet in order to receive updates and transmit encrypted data.
Hackers benefit more when they’re able to collect high volumes of data from multiple consumers in a short period of time, which means major merchants remain a popular target for POS attacks, especially at the holidays and other busy shopping seasons.
Both consumers and merchants can (and should) take steps to limit unauthorized access at POS systems:
- Consumers should change PINs regularly. Additionally, many credit card companies and even issuers of debit cards may offer protection specifically against fraudulent purchases and activity.
- Restrict access at the back end. Installation of any POS should never use the default password; new passwords should be strong and changed regularly. You should restrict Internet access to your POS terminals so that only POS-related activities are conducted online and not general Internet use. Additionally, remote access to POS systems should not be allowed, as these increase the chance that your terminals are exposed to security threats.
- Implement appropriate security measures, like a firewall and antivirus software, which can help prevent unauthorized access and identify potentially harmful programs. Make sure regular updates are made to your antivirus software.
- Keep POS software updated and maintain monitored access. Missing software patches and outdated software applications are ripe for cyber attacks. Just like a regular computer, POS systems are more vulnerable when they’re not kept up to date with required downloads. Also, access to POS systems should be restricted to authorized personnel only in order to prevent inadvertent online exposure.
While consumers may be able to minimize the impact of a data breach through programs or services offered by their credit or debit card providers, it’s much simpler to prevent attacks in the first place at the retailer level. Using the above tips can help keep you prepared, but always make sure to stay up to date with your software, and your knowledge, of the latest security threats.
By Gretchen Hoffman
By Gretchen Hoffman