If you run a point of sale system (POS) in your business you are probably nervous. And with good reason. There have been way too many breaches starting with Target (actually, that wasn’t the start of POS breaches, but it certainly is well known). Here are some ideas for things that you can do in order help protect your company’s systems.
- Vendors managing encryption keys. First, if the data is not encrypted, obviously that is a problem, but if the data is encrypted and the encryption keys are stored on the same network as the data that is encrypted, well, that is kind of, bad. If the hackers get into the network and get the data, they can get the encryption keys are well. You might as well not encrypt it at all. One solution to this is a box called a hardware security module or HSM. The HSM manages all the encryption and decryption and the keys live in it, but once you put the key into the HSM there is literally no way to get it back out. For hackers, that represents a problem.
- Segment your network. This is not news, but it is critical and security experts have been saying this forever. Let me explain why not doing this is a “problem”. The people that hacked Target got in by compromising a portal that an air conditioning contractor used to find out what store had a broken cooler they had to fix. HOWEVER, there was nothing to stop that server from directly accessing the POS system – which they did. If the network is segmented, there would be no direct connection between the POS systems and say, the mail server. There should be zero connection between the guest WiFi and ANYTHING else. You can take this to extreme, but there are low cost and easy ways to do this today in a way that is very bullet resistant. If bullet proof is required, that will be more expensive.
- Old operating systems. Do you know that there are millions of ATMs that still run Windows XP? Whose support ended years ago. The banks have spent millions protecting those aging beasts as they work to upgrade them. Unfortunately, if you are a small or medium business, you likely don’t have the money or expertise to protect that antique. You just have to belly up to the bar and upgrade it to something that can be patched. And patch it religiously.
- Default passwords. It is amazing how many systems are running, in production, with the passwords that were there when it came out of the box. And this is not limited to POS systems. Firewalls, switches, routers, servers, cameras, alarms – you get the idea. Change ALL the passwords and delete any accounts completely if they are not needed. But be careful about that, deleting things CAN break stuff.
- Fraudulent devices. You may remember that a bank in Bangladesh was recently hacked out of close to a billion dollars. Good news is that they were able to get most of that money back (all but about a hundred million). The bank had no firewall and bought their network switches on eBay. Buying “discount” devices may seem to save money, but if they are not coming from a reputable source, you may just open the door to hackers. That credit card reader you bought on eBay – or the POS system you bought on Craigslist – probably not a good plan. As your mother used to say – don’t pick that up – do you know where that has been?
- Phishing attacks. Phishing attacks are insanely common. One client set up a fake phishing test of their employees and over 30 percent fell for the phishing email. All you need is ONE to fall for it for the hacker to get in. Education is critical. So is having your employees being alert to being phished.
- RAM Scraping. This is a cool technique (at least if you are a hacker) that allows the hacker to scrape the credit card information out of the POS system’s memory before it gets encrypted. This is not a problem with chip cards because those get encrypted in the card reader, but there are still millions of mag stripe transactions every day. There have been many, many attacks that use RAM scraping. In theory, the POS system should only talk to a very limited number of well known computers. Lock it down so that even if the hacker is able to scrape memory, you have made it very difficult for the hacker to get the credit card information out. Not impossible. Very hard.
- Skimmers. You have probably heard about skimmers on the news. Skimmers on ATMS and at gas stations. And at places like Safeway. The new generation of skimmers sits INSIDE the ATM or gas pump so it is completely invisible to the user. This does require someone physically entering your location, so it is harder to pull off, but if you have a lot of locations, how do you make sure that someone isn’t able to get access to your card reader, say at night? Maybe someone pays off the cleaning crew. Physical security is the lynch pin to everything else.
These are some good tips that will go a long way to improving your POS security. Obviously, engaging a security expert (like me) is better, but you can’t always afford that.
Information for this post came from PC Magazine.