A sale being made at a supermarket checkout

Point-of-sale cyber security: hacking the check-out

As point-of-sale systems embrace mainstream software, they will have to deal with the security threats that come with it. After all, what cybercriminal wouldn't go after Windows-based devices handling credit and debit cards?

It is a simple fact of economics that consumers and retailers perpetually encourage one another towards ever greater convenience. And with greater convenience comes greater connectivity between devices running common computing operating systems. And such obliging levels of connectivity provide convenience not just for consumers but for cybercriminals too.

Connected point-of-sale (POS) systems – that's the checkout to you and me – are the most recent targets of the cybercriminal, and a specially-crafted malware, dubbed Dexter, is further indication that now all kinds of connected devices may be vulnerable to attack.

Checkout technology has been getting steadily more intelligent over the last decade, and if checkout systems are starting to look more like standard personal computers than electronic cash registers, it's because they are increasingly adopting much of the same technology.

Potential hauls for successful cybercriminals provide plenty of incentive to target POS. The amount reportedly stolen from sandwich franchise Subway's POS systems by four Romanian hackers between 2008 and 2011 was $3m. The hackers compromised the credit cards, debit cards, and gift cards of more than 80,000 Subway customers across 150 US-based restaurants, as well as 50 other unnamed retailers, using 'sniffing' software to make unauthorised charges. Cezar Butu of Ploiesti, Romania, was sentenced to 21 months in prison in January 2013 for the Subway theft. The remaining three suspects are still awaiting trial.

"Retail cybercrime is the crime of the future," says Dave Marcus, director of security and communications at security software firm McAfee. "Instead of coming in with guns and robbing the till, criminals can target businesses, root them from across the planet, and steal digitally."

Digital crime opportunities have certainly increased as businesses adopt more 'omni-retailing' methods, such as conventional e-commerce (or 'etailing'), social media, and taking payments through smart devices.

Of course, conventional online and mobile payment fraud are still a problems, for instance, Sony's infamous PlayStation Network hack (see 'Sony Security Laid Bare', http://bit.ly/eandt-sony-security), and more recently online US-based shoe store Zappos was hacked in January 2013, exposing personal information and credit card numbers of its 24 million customers. This means that mainstream retailers could soon find themselves caught in a pincer movement, attacked both online and on the high street.

Bank card cloning

Attacks on POS systems based on standard computer operating-systems are bound to increase as long as that software is targeted; even encryption does not deter criminals from having a try. In 2009 the Westin Bonaventure Hotel & Suites in Los Angeles experienced a data breach when their POS systems were illegally accessed during April and December. The hackers were able to obtain the names and bank card details of checked-in guests.

Another retail sector incident occurred in September 2012 when 63 Barnes & Noble bookstores in the US were breached, including branches in New York City, Miami, Chicago, and Florida. The breach was detected during a maintenance inspection of its in-store POS systems. It discovered that customer bank card information was the main target; the cards were cloned when customers swiped them cards through the PIN terminal.

Information security management firm Trustwave revealed from its 2013 Trustwave Global Security Report that the retail industry is now the top target for cybercriminals. The data was collected by Trustwave's security experts and taken from 450 global data-breach investigations, 2,500 penetration tests, nine million Web application attacks, two million network and vulnerability scans, five million malicious websites and 20 billion emails from multi-national corporations, merchants and government entities. From this, the retail industry made up 45 per cent of Trustwave's data-breach investigations, which was a 15'per cent increase from 2011.

POS systems have been undergoing a makeover over the past several years, as hardware-wired, all-in-one systems are gradually replaced by wireless and touchscreen POS systems. Supermarkets are upgrading their traditional electronic cash registers to self-service touchscreen POS systems; in 2011 supermarket chain Tesco installed technology company NCR's SelfServ Checkout in stores across central and eastern Europe, enabling customers to scan, bag and pay for goods themselves.

Product retailers are not the only businesses to use standard POS systems: restaurants, hotels, visitor attractions, and recreational establishments like cinemas, theatres, and fitness centres, for instance, all use integrated systems that process credit- and debit-card transactions.

Generic POS technology is also advancing. According to market analyst TechNavio, the Global Point-of-Sale software market will reach $3.2bn in 2014, driven by near-field communication technology and contactless payments.

'Mysterious' Dexter

Just before the 2012 festive period, a new piece of malware surfaced and was found in hundreds of POS systems in hotels, restaurants, retailers and private parking providers. The malware was discovered by Israel-based security firm Seculert: 'Dexter' (which comes from the string 'BKDR_DEXTR.A') is a data-theft tool used to target and attack POS systems. The program, which is Microsoft Windows-based, uses common techniques to search the memory of running processes to identify credit-card track data, but with the uniqueness of the attacker having full control.

Seculert CTO and co-founder Aviv Raff explains that while the company is as yet uncertain as to who is behind Dexter, the author is fluent in English: Dexter mainly targeted English-speaking countries. The malware was located in 40 different countries, but notably 42 per cent of POS systems targeted were in North America and 19 per cent UK-based. "Instead of going through the trouble of infecting tens of thousands of consumer PCs or physically installing a skimmer, an attacker can achieve the same results by targeting just a few POS systems with specially crafted malware," Raff says.

The malware injects itself into the iexplore.exe file in Windows servers, through rewriting in the registry key. It then' pinches sensitive credit-card data from the server, before transferring it through a remote command and control system. Windows-based POS systems are used increasingly in the industry, and according to Seculert's findings, 51 per cent of targeted POS systems use the outdated Windows XP. The high percentage indicates Windows-based machines that process unencrypted track data are viable targets.

Microsoft Windows XP may be the 'preferred' choice for POS systems, especially among smaller retailers who feel that they cannot afford to upgrade, but with the operating system to be discontinued in 2014, the question is over what support will be offered for remaining XP users and if they will be able to handle the upgrade to Windows 7 or 8.

"Dexter only has three purposes in life," says Trustwave's security researcher Josh Grunzweig. "To always be running on the victims' machine, to find any card, or track, data in any running program on the victim, and to communicate with the attacker who is controlling it."

The latter is what makes the malware stand out and impresses Grunzweig. "I can't remember the last time I saw a piece of malware that targeted POS systems that had a nice command and control structure to it," adds Grunzweig.

He explains the hacker maintains control of the attack by using normal communication methods, but with the skill to hide what it was sending by encoding the data. This involved sending out a message to the attacker, by default, every five minutes and also checks the victim to see if there is any track data running every 60 seconds.

The magnetic strip on a credit card contains three tracks and the malware attempts to extract data from memory relating to tracks one and two, containing numeric or alphanumeric data that can be used to clone the card that was used in a transaction. If Dexter finds any of this track data, it alerts the attacker in the next message sent and the process is repeated. The attacker has the control to change the times and install additional malware or even remove Dexter altogether.

"The most unusual thing about Dexter is the small amount of public attention it has received," says Trustwave's Josh Grunzweig. "The issues that make POS-specific malware difficult to discuss in the industry also affects the ability of antivirus companies; without samples they are unable to provide detailed protections for specific threats."

POS protection

According to Grunzweig, there are several layers businesses need to address to prevent POS malware attacks. The most common attack is through weak remote administration or virtual private network authentications, which are mitigated through classic technical and policy controls, such as maintaining updates, network isolation of payment systems, strong authentication mechanisms

Small businesses are often targeted and known for their perceived lack of security awareness and implementation of IT security technology. "When a POS system is infected with this class of malware, merchants must act quickly to identify how they were compromised, and how badly, and then correct the immediate issues of the attack, and ensure that they have locked down the rest of their infrastructure from additional attacks," adds Grunzweig.

Since the public statement of Dexter, there has been relatively little further coverage on which businesses have fallen victim, and on who is responsible for the attack – so the full extent of the malware's damage has yet to be revealed.

"Some countries do mandate that customers get informed within days after a breach has been discovered, therefore there is not much a business can do but follow the law," explains researcher Vincent Hanna from the anti-spam protection company Spamhaus Project, "but it is possible that in cases where such rules do not exist internal (legal, security) or external (insurance companies) forces may interfere with making things public."

Further information

Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.

Recent articles