When consumers purchase services or goods from retail points, transactions are processed through what is referred to as a Point of Sale (POS) system. The system is made up of the hardware that captures the required information and software that instructs the hardware on what to do with the captured information.
When you use a debit or credit card at a point of sale system, the attached computer system or device collects and processes the information stored on the card’s magnetic strip. Data collected includes information associated with the actual account such as cardholder account number and name, as well as credit card number and its expiration date.
The insecurity of POS systems lies mainly in consumer data handling. Cyber criminals have always targeted these data in which they have devised numerous malicious means of acquiring it. In same cases, these perpetrators attach physical devices to the POS system which then collects card data through a process referred to as skimming. Some other cases involve delivering a malware into the POS system which latter collects desired card data as it passes through and sends it back to the criminal. In most cases, this data collected is used to create fraudulent debit and credit cards.
Some POS system devices also enable access to email services and Internet. This therefore means that a malicious mail attachment, website or link can be accessed and a malware subsequently downloaded into the POS system of the end user unknowingly. Cases of using key loggers to record key strokes have also been used by cyber criminals, although not so common.
When it comes to point of sale system malware attack, several malware have been used, most of which locate specific data on the system using memory scraping technique. Commonly used malware include Dexter and Stardust, they extract information from Track 1 and Track 2 of the magnetic card or from internal network traffic.
These two types of malware are often delivered into POS systems via malicious internal actors or through email Phishing. Other vulnerabilities of a POS system include open wireless networks that offer POS system access, weak credentials as well as physical access to the POS devices.
The design solution
Modern POS systems have been designed with these security risks in mind. They have been equipped with appropriate security applications that provide secure network and end-to-end security to consumers. The POS system also combines complete transaction logging and online authorization to allow full monitoring of staff that manipulate cash and handle transactions at all levels.
POS terminals are also designed in compliance with anti-money laundering rules. Many financial and non-financial institutions are therefore required to identify and report any transactions of suspicious nature to their respective country financial intelligence unit.
POS System Owner Best Practices
There are known best practices that owners and operators of POS systems can follow to increase the security of the system and cut off unauthorized access. These include:
- Use of strong, unique and complex passwords, which should be changed regularly
- Regularly update the POS software application to ensure that the system is using the latest updated applications and application patches
- Use antivirus to detect and restrict entry of malware and other malicious programs in the system
- Install a firewall to protect your POS system from external attack.
- Disallow remote access to the point of sale system at all times
Restrict access to the Internet to prevent staff from accidentally exposing the POS system to the many security threats available on the Internet.
Have you used POS systems in your business? Share your thoughts and experience.