back to article Target, Home Depot and UPS attacks: Dude, you need to rethink point-of-sale security

A new report on point-of-sale malware presents the most detailed examination of the malicious code behind high-profile attacks against US retailers to date. Cyphort Labs’ in-depth look focuses on Target, Home Depot and UPS breaches and involved an analysis of BlackPOS, FrameworkPOS and Backoff malware samples. The researchers …

  1. Stretch

    Bet the report concludes you should give him some money to prevent you from having that money stolen. Either via crooks or HPC you are going to get screwed over.

  2. thomas k.

    change the penalties

    Unless we start charging these companies with criminal negligence backed up by jail time for the CEOs, nothing will change.

  3. wyatt

    As someone who is ignorant to the way that POS terminals work, is it really that hard to detect things going wrong or are they being lazy?

    1. Yet Another Anonymous coward Silver badge

      They are a computer, they send data across the network to other computers internally and externally.

      It's precisely as difficult as securing other computers in your organisation.

      1. wyatt

        That's what I thought, they're being lazy then.

    2. Michael Wojcik Silver badge

      is it really that hard to detect things going wrong

      In Target's case, their (outsourced) IDS team did detect the breach. They informed management, per procedure, and were ignored.

      More-sophisticated malware (such as Backoff) can make detection difficult. As with pretty much anything in security, there's a tradeoff: the attacker can expend more effort to force the defender to expend more effort.1

      Often, though, the problem is not detection. The problem is bureaucracy, and an aversion to interfering with operations (and so taking a hit on revenue) in order to investigate possible intrusions.

      1This ought to be obvious, but years of reading comments to security-related stories in the Reg has taught me that much of the readership remains stubbornly ignorant of even the most basic concepts in information security. I suppose that's because there are only dozens or hundreds of well-known, accessible, free sources of information on the subject readily available to them.

  4. Anonymous Coward
    Anonymous Coward

    Does PoS stand for Pile of Shit?

    Just asking...

    1. Anonymous Coward
      Anonymous Coward

      Re: Does PoS stand for Pile of Shit?

      Given some of them are Windows XP or in extreme cases, DOS-based (including Win9x), I guess that's an accurate description.

  5. wub

    UPS got hacked, too?

    I didn't hear about UPS, but a couple of days ago USPS revealed they lost private information of over 600,000 employees, and a few thousand customers as well.

  6. Herby

    Of course it might be easier if...

    They didn't use a version of Windoze as the base of the system. While this isn't in all systems, I suspect that there is an influence in many. Then they connect to the general internet and things go crazy. It seems to me that having a firewall (or similar) that detects connections to wrong places (I suspect a short whitelist would work) might stop things dead in their tracks.

    Of course many of the PoS vendors probably didn't think about security to begin with, but I'll leave comments about that to someone else.

    For the paranoid: Cash leaves no trail!

    1. Anonymous Coward
      Anonymous Coward

      Re: Of course it might be easier if...

      The PoS terminals should never be accessing the Internet; they should only be communicating with the back-end systems and nothing more. Why any of these companies thought that third-parties should be able to access these systems is beyond me. For Target an HVAC vendor was hacked and their VPN connection was used to access the PoS systems. Why an HVAC vendor even had access to reach that is beyond me. It is nothing more than just being lazy and doing what is easiest to implement.

    2. Medixstiff

      Re: Of course it might be easier if...

      Actually quite a few POS systems use Linux based OS'es these days.

      Simply put, there should be no-one other than an internal IT person touching POS machines, ever.

      Worst case scenario, a suppliers' staff member should sit next to the IT people and the IT people does the keystrokes, just like we have to do when someone tries a remote session at work here.

      VISA and Mastercard should be pushing back on the retailers too, as it affects their brands just as much as the retailers.

      This is what happens when it all boils down to nothing but cost, it's not that expensive in the grand scheme of things for a large supermarket to have 1 or 2 IT staff in the building doing the regular bread and butter IT jobs. Maybe instead of paying overblown salaries to managers that bring SFA value to the company, trim the fat up top to help pay for the real value adds in the business.

      1. Richard Wharram

        Re: Of course it might be easier if...

        Keep them on a separate VLAN behind a firewall that's got some draconian rules for a start.

  7. Anonymous Coward
    Anonymous Coward

    The root cause ...

    ... of those attacks is clearly the use of highly vulnerable PC and networking technology in business-critical environments. Why, for heaven's sake, do we deploy POS terminals and ATM's that are powered by x86 CPU's running under Windows or Linux ? Hackers have easy access to all the hardware and software needed to develop and test related malware, and company networks are just too big and heterogeneous to be kept reasonably secure.

    Using some other embedded hardware and software which isn't that easy to get hold of, and insisting on solid end-to-end encryption between the card reader and the authorization system would put an end to those nasty attacks. Adding more people to the payroll won't.

    1. Anonymous Coward
      Anonymous Coward

      Re: The root cause ...

      «Why, for heaven's sake, do we deploy POS terminals and ATM's that are powered by x86 CPU's running under Windows or Linux ? Hackers have easy access to all the hardware and software needed to develop and test related malware, and company networks are just too big and heterogeneous to be kept reasonably secure.»

      Because it facilitates integration? Because security through obscurity isn't security?

      «...and insisting on solid end-to-end encryption between the card reader and the authorization system would put an end to those nasty attacks. Adding more people to the payroll won't.»

      Now we're getting somewhere. Good software practices, sane and (at least) reasonable security-minded programming, etc, etc, etc goes a long way, even with windows. As it's been said: when all that matters is the money, there's only so much anyone can do, regardless if they're an IT tech at the site or a developer of the pos software.

      But, alas, its the people in suits and PhDs in Powerpoint that have the final say on technical decisions. Put a monkey at the wheel of a Ferrari and you're still in trouble.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021