Cyber attack on Target was only the beginning: 1000 brick and mortar businesses affected according to the US Secret Service
According to a latest advisory by Homeland Security, as much as one-thousand brick and mortar businesses nationwide are currently being affected by the same cyber-attack perpetrated against Target’s POS systems, allowing pirates to gather consumers credit card information. According to Ken Westin, an analyst at security firm Tripwire Inc., The ongoing epidemic of these attacks has been carried out by the “Backoff” malware, which latches onto point of sale systems, records card transaction swipes, and sends the information back to the pirates, who will then be able to resell the stolen data.
The latest strand of the malware has been active since October, and was discovered only in recent weeks, with thousands of businesses completely unaware of the presence of the malware within their systems.
Anatomy of a brick-and-mortar point of sale system:
Modern cash register points of sale are no different than complete desktop computer systems, working over a regular local area network, often accessible from the Internet, through web server software. By the same token, every retail store can be hacked into, in some degree.
Every store operating with a card swiping device, or a bar code scanner, is controlled by a server computer, usually located in an office, within the business. Communication between the server and every other point of sale device is hardly, or weakly encrypted, within the network.
In some cases the local area connection is carried by Ethernet cables, but sometimes, wireless connection is used, which opens the network to intrusion by bare proximity.
The smaller the business, the more “cost effective” are the servers setups implemented. Typically, servers used by smaller businesses are not “real” servers, but rather regular old desktop PCs running Windows Vista or Windows 7, and in some horrifying cases, even Windows XP.
Such setup alone leaves the business completely open to attacks. Sadly, most local businesses go for the convenience and don’t do nearly enough research to find out how secure their network will be.
Terminals are by definition, computers that require a connection with a server to function. Terminals can be anything that allows a business to take a payment and process orders, such as credit card swipe devices, cash drawers, touch screens and ticket printers.
These terminals are merely rudimentary computers, alas they are computers nonetheless, with networking capabilities, and cannot be assumed to be secure.
If any of these devices have USB ports or SSD card readers, these devices have a high potential for viral infection, as hackers may simply plug a stick drive, or an even less conspicuous SSD card into a cash register, or a printer, and inject malware, system-wide.
Businesses, such as coffee shops, bars or bookstores, offer free WiFi to their customers as a popular method to encourage customers to stay on premises.
Public, unsecured WiFi, can be hacked into very easily, in such a way that a hacker could gain administrative privileges on the router from which the connection originates, and gain access to every device connected to that network, including any server used to monitor and manage point of sale operations.
Curbing the risks
It’s important to understand that every brick-and-mortar business is at risk, to some degree, but such risk can be lowered by taking appropriate steps.
PCI-DSS stands for: Payment Card Industry - Data Security Standard, a proprietary standard developed for organizations handling payment data through the major debit, credit, e-purse, ATM and POS data networks.
The number one recommendation for PCI-DSS compliance, is never to store, or transfer unencrypted/unsecured card information, on a local or external network.
As of late, PCI-DSS compliance works very similarly to the way credit reporting agencies monitor a person’s credit history: some credit card processing companies reporting lower quality of PCI-DSS compliance are likely to penalize the business with higher processing fees, in an attempt to curb the cost as a result of fraud.
Internet-based Payment Processors
The easiest way to accomplish this task is to use terminals that are not connected to an internal server, but rather a larger, secured Internet payment gateway, such as Authorize.net, Stripe, or MercuryPay, that is fully PCI-DSS compliant.
Some processors will provide, and fully support, portable devices, such as customized iPads, touchscreens, and card processing terminals that communicate directly with the payment processor and are not required to communicate with any internal server.
Other processors will allow a business to build their own secured method of communication, as long as it’s compliant with PCI-DSS standards.
All communication sent to the processor is encrypted by proprietary software, and secure from theft, more than it will ever be, if handled by a local area network.
As an example, the popular restaurant chain “Chili’s”, allows customers to use touchscreens to place orders, checkout, and even leave a gratuity, using a secure Internet-based checkout page, right at their tables, with the added bonus of speeding delivery of food items, and preventing unscrupulous staff from being in possession of an unsuspecting customer’s payment card, long enough to record the information on any number of portable devices.
With over 1000 brick and mortar businesses estimated to be still affected by the Backoff malware, as well as recent reports of attacks at over 50 UPS locations, with an estimated one-hundred-thousand compromised transactions, it’s time for businesses to take in-store card transactions security less lightly, and implement strategies to reduce the chance of customer information being stolen. Online businesses like Portable One continue to be more secure and less compromised than brick and mortar businesses.