As news about point of sale data breaches continues unabated, it is perhaps worthwhile to consider the issue from the criminal’s point of view.
One such example is a slideshow prepared by Russ Spitler, vice president of product management at the security management firm AlienVault, and part of a post on the website ITBusinessEdge.com, “From a Hacker’s Perspective: How to Breach a Point-of-Sale System.”
Spitler breaks everything down step-by-step as to what a criminal would have to do in order to breach a point of sale (POS) system.
As the only full-service point of sale provider — from software development to franchise incubator to ongoing support — part of Sintel’s commitment to our customers and business community is to share relevant ideas, information and industry news.
In their introduction, ITBusinessEdge.com notes that, according to the Identity Theft Resource Center, over 500 data breaches have been reported this year in the U.S., representing an increase of 27.5 percent over the same period last year.
Here are the highlights of Spitler’s informative slideshow, “Hacking A POS System”:
Launch a Broad-Based Attack against a known vulnerability using a watering hole. This is the most common technique used to compromise popular websites. Criminals use an “exploit kit” to target known vulnerabilities in the operating systems and browsers used to access the targeted website. In the case of Home Depot, a vendor of the company was targeted first in order to ultimately gain access to Home Depot’s servers.
Run a First-Level Analysis of the compromised systems. “The hackers will then look at what types of machines they’ve gained access to, what software is installed, what their IP addresses are, and what email addresses are being used,” Spitler writes. “This analysis is done to see what assets have been brought in by the ‘net’ of the broad-based attack.”
Identify Viable Targets for a breach. Once the assets have been obtained, the criminals will likely then move to see if there were any major or minor retailers among the data gained from the attack. Spitler believes the criminals will then typically pick the biggest retailer and start working toward their objectives — compromising the corresponding point of sale terminals.
Pivot Your Attack within the corporate network and perform reconnaissance on the network to identify and execute on the machines and systems it can access.
Target Known Vulnerabilities, systematically move on your objectives and identify ways to access the point of sale terminals. “In the Target scenario, it was a relatively open network, so this was a very simple task,” Spitler writes. “Either way, once the POS terminal points are identified, hackers will target a known vulnerability in the system and install the memory-scraping malware that harvests credit card information.”
Ex-filtrate the Harvested Data to move the credit card information from the point of sale terminals to a location of the criminal’s choosing. In the Target scenario, this was a FTP server in Eastern Europe, wherein the data then became available on the black market.
Spitler advises AlienVault clients to mitigate attacks by identifying the security technologies deployed and defend them using techniques for mitigating the increasing number of attacks. His firm advocates threat intelligence sharing as a key component for being alerted to and staying ahead of attacks. He closes the slideshow by saying, “If more companies widely share the threat data they have, it’s likely to help prevent hackers from being able to breach a system and share your own personal data.”
Read Russ Spitler’s full ITBusinessEdge.com post here.
For more insights into point of sale security, check out our related posts, “Backoff” Tracking Memory, Taking Credit, Secure Your Payments, Or Pay The Piper , In Loving Memory Of Your Credit Card Data, and The “infostealer.rawpos” Trojan Hides, Covers Tracks.
Just as Sintel shares our vast point of sale experience and expertise with startup owners in order to help them make the best decisions from the very beginning, we are happy to share articles, advice and commentary about retail point of sale and security.
Whether you’re a first-time franchise hopeful, a small business owner or an established chain, it’s always smart to stay on top of the latest point of sale best security practices to achieve financial success.
If you are interested in learning more about Sintel’s point of sale systems and how our knowledge and support can impact your future success, call us for a complimentary phone consultation.
Sintel Systems is the only direct to end user full-service provider of tailored point of sale systems across retail, restaurant and service industries, including frozen yogurt shops, pizzerias, sushi restaurants, cafés and retail stores.
As a single source for business solutions, our experienced, knowledgeable team negotiates the complex POS landscape for you to enable you to find the right POS system for your business and budget. Hardware – Software – Support
Questions or Comments: Contact us 855-POS-SALES www.SintelSystems.com