14 DAY TRIAL // Security of point-of-sale (PoS) terminals is often overlooked by the vendors, who sell systems that can be easily compromised by attackers through both digital and physical attacks.
Failure to change access passwords on a regular basis, to properly secure the PoS devices or maintain the integrity of the servers collecting and sending the payment information are some of the causes for successful card breaches discovered by security researchers Charles Henderson from Trustwave and David Byrne from Bishop Fox.
Passwords stay unchanged for years
The duo took the stage at the RSA security conference in San Francisco this week to expose the bad practices of major PoS vendors.
They noted that in one case, a major PoS vendor maintained the same default password (“166816” and “Z66816,” as per different keyboard layouts) for all its products since 1990.
“90% of the terminals of this brand we test for the first time still have this code,” the researchers said, pointing out that the information was released publicly in 1994, in a FAQ document, which included company names like Northern Telecom.
In another breach investigation, they found that the password remained unchanged for a period of nine years, from 2005 until 2014. It is very likely that the attackers found about the merchant from a different breach at a retailer that relied on PoS terminals from the same vendor.
CHD machines and servers used for personal entertainment
One of the major sources of compromise is remote access, a feature that is present in most registers, the researchers said in the presentation on Wednesday.
During one of the investigations, they found that the back of the house server was set up for remote administration with pcAnywhere software, but the sessions were not protected by any password. Simply providing the username and hitting the “Enter” key established the remote connection.
Improper use of the computers in the cardholder data (CHD) environment was also among the reasons of compromise. Some workstations were used for visiting websites with adult content, downloading torrents and for video chatting purposes, all increasing the risk of infection.
The data from the malware’s keylogging module contained a set of repeated keys. It was discovered that the server had been used by employees to play different games, Guitar Hero 3 and Call of Duty among them.
Some basic measures increase security level
Apart from these, the researchers discovered that PoS systems disregarded basic security measures such as different authentication credentials across the enterprise, disabling automatic login and administrator accounts, encrypted communication and ensuring endpoint certificate verification.
Henderson and Byrne highlighted the fact that symmetric encryption for transmitting payment cards and using the XOR algorithm to encode passwords are not the proper security posture.
Among their top recommendations is making sure that the cash registers do not store the payment data, establish strong authentication policies and avoid running PoS user interface with administrator privileges. Also, applying the latest updates for the PoS security program helps maintain a better protection.
