back to article A Russian cyber-gang, the Oracle MICROS hack, and five more POS makers in crims' sights

When hackers, believed to be a Russian crime gang, broke into Oracle-owned payment terminal biz MICROS, it was assumed the crooks were snooping around other register makers, too. Well, assume no more: here's five other companies poked and prodded by the crew, with wildly varying degrees of success. Days after word broke that …

  1. Anonymous Coward
    Anonymous Coward

    Don't get your hopes up

    Let's hope POS makers are all taking notes

    Having worked in this sector, I can assure you that the market is full of scruffy, poorly understood, dubiously secure software that lives on from sequential acquisitions, used by retailers that you'd assume would know better. I know that some of the software potentially in the frame here has been acquired five times over, at least once though a major insolvency and criminal investigation. What's the chance anybody now understands the design, knows the code, understands the implementations etc?

    There's as much chance of this sort of legacy EPOS being secured as there is of Adobe making Flash secure. And whether you like it or not, you're using this software daily.

    1. a_yank_lurker

      Re: Don't get your hopes up

      I see one problem with retail digital security that is largely overlooked. Many retail establishments are 'Mom and Pop' operations or small scale chains. These companies are dependent on their vendors and installers being competent. If the POS is set up, maintained, and upgraded properly there is no problem. But most of these retailers do not understand how the POS system works and are technically unsophisticated. If outfits like Target are clueless these retailers are in even worse shape.

      1. Anonymous Coward
        Anonymous Coward

        Re: Don't get your hopes up

        Many retail establishments are 'Mom and Pop' operations or small scale chains.

        Whilst security is likely to be a matter of luck in smaller operations, these places aren't generally targets as such. Any competent criminal would focus on larger retailers because the exploits can be scaled up easily and quickly, and central data repositories exist to be worth raiding, with established markets for dirty data on the dark web. What they're after is data to sell on, so the more records they can seize, the more they make (and unless told, most people who's records are taken don't know until months after the event, if ever). So a few big, corporate targets are far more valuable than many tens of thousands of small retailers.

        Absent a customer database, at the Mom & Pop (corner shop) scale, you'd have to steal individual payment card details perhaps through a physically hacked card reader, and I doubt that is worth the effort. The fraud will be detected more quickly by the victims, the payments processors will trace the store quickly and fix the breach. And if you're into this low rent area of crime, you'll probably (a) not be very good at it, and (b) be less capable of covert sale of the pilfered data, and so you're creating a track from your buyer back to you, the would be cyber crim.

        1. a_yank_lurker

          Re: Don't get your hopes up

          If the big boys and girls get their security act together (not likely) then the next target will be smaller chains/operations with much less technical depth. Cyber criminals are just like any other criminal - they prefer the easiest target with the biggest bang. Right now and for the foreseeable future it will be large retailers who are running IT on the cheap; which is most of them. So any cyber criminal with a couple of functioning brain cells is going after Target, Walmart, etc.

    2. ecofeco Silver badge

      Re: Don't get your hopes up

      All of the above.

      I wondered how long it would take for the crims to get right to the source, i.e. the POS themselves. "Right about now" it seems.

  2. Down not across

    No hope

    And that their card readers are more secure than their websites.

    They're not.

  3. Anonymous Coward
    Anonymous Coward

    Read Daniel Suarez


  4. Mainway


    I've never quit understood why people insist on calling it a Point Of Sale system, the word Cashier presumably doesn't conjure up the same Buzz..

    1. hplasm

      Re: POS

      Cashier? In a cashless transaction...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like