back to article Retailers shot up by PoS scraping brute force cannon

The US Computer Emergency Response Team has warned of a new point of sale malware that is targeting retailers. The malware is a RAM-scraper of the kind made infamous by the Target breach that saw attackers plant wares on terminals to nab credit cards while they were temporarily unencrypted. This attack uses a new tool …

  1. petur

    Payment terminals

    Over here most shops just have a payment terminal that is connected to the PoS via serial or network, and the software just tells the terminal what amount the customer has to pay.

    No way for crooks to steal any data, the worst they could do is send it incorrect amounts. Money always goes from customer to shop bank account.

    1. phuzz Silver badge
      Facepalm

      Re: Payment terminals

      I was wondering that myself, why does the PoS computer even need to know the credit card number? Surely you just send the price to the card terminal, and receive back a message either telling you that the customer's card paid up, or that it didn't (or was cancelled, declined etc.)?

      This way not only is your PoS terminal not at risk of CC numbers being leaked, but you don't have to worry about PCI compliance for your PoS software, which is a massive advantage.

  2. Steve Davies 3 Silver badge
    Facepalm

    Just use Cash

    Then there is nothing to steal...

    1. Alistair
      Coat

      Re: Just use Cash

      Steve:

      The dude in the alleyway wearing a balaclava would like to have a word or three with you....

    2. Gene Cash Silver badge

      Re: Just use Cash

      Or a check (cheque? czech?). I've been using those at the local Target ever since they caused my bank to have to replace my cards.

      1. admiraljkb

        Re: Just use Cash

        @Gene Cash - well Checks (and Debit Cards) make it easier to empty your bank account directly. At least with a Credit Card you are shielded from anyone having a direct line to your money, and have some additional legal protections as well. Its fairly easy to empty your account once someone has your ABA and account number, and much harder to recover the money stolen. Checks in the modern electronic era are unsafe at any speed, and weren't that safe before - see Frank Abagnale's exploits in the 1960's

  3. Richard Wharram

    Which POS platform?

    Assuming Windows if they're exploiting RDP but may be wrong.

  4. Cipher
    FAIL

    Hesitant to upgrade because of costs?

    I suppose when increased insurance premiums, bank costs and loss of sales due to deteriorating customer good will exceed upgrade costs they will make the change.

    Is management so short sighted they don't see that this is a "pay now or pay later" situation?

    1. cortland

      Re: Hesitant to upgrade because of costs?

      "Is management so short sighted..." In a word ? YES.

      And not just in retail

      I once worked for a [redacted] firm that made equipment affecting almost every [also redacted] in the US. It was cheap to make and profit came from volume, so when a higher level of compliance with [a formerly optional technical standard] became necessary, I was told to fix non-compliance *without changing the electronics*.

      That decision resulted in losing about $100 every time a new cabinet went out the door.

      "You tells 'em an' you tells 'em and they never lissens..."

      Management are ALWAYS short sighted when they look only at this quarter's profit -- and their own division's budget.

      1. Anonymous Coward
        Anonymous Coward

        @ Cortland I slightly disagree with you.

        It is not so much this quarters profit. More and more companies are using bonuses as compensation rather than pay raises. If a Manager has a better profit this quarter then he gets a better bonus this quarter.

        I am sure someone will say what about keeping his job in the future? As the recent Dr. Dre and Microsoft layoff announcements show, saying you will have a job in the future is just like saying you are going to win the lottery in the future.

        You need to make the money when you can.

      2. admiraljkb

        Re: Hesitant to upgrade because of costs?

        @cortland

        I've been finding that a risk averse corporate culture is starting to play into it as well. Sometimes its not strictly financial, its simply "perceived" risk. I've been in similar situations as yours. I suspect in a meeting, someone (pointy hair manager type) said it was less risky to keep the same electronics and have someone just "fix it" with software, not understanding the levels of complexity that are truly involved.

  5. Anonymous Coward
    Anonymous Coward

    OMFG!

    I'm eihter going to stop shpopping at retailers with a Microsoft based PoS terminal, write more checks or just use cash.

    What is it going to take, people? Stop using Microsoft products!

    Posting Anon cause I really don't give two shits for the M$ Fanboi rhetoric...

    1. Anonymous Coward
      Anonymous Coward

      Re: OMFG!

      "...I really don't give two shits for the M$ Fanboi rhetoric."

      or spell-checkers?

      1. Anonymous Coward
        Anonymous Coward

        Re: OMFG!

        whut is thes spelchqer you spake ofv?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021