Question
How are the miscreant infecting POS systems? I ask out of my own ignorance.
I know the Target hack was because of poor internal system design that allowed a hacker coming in one a vendor login to reach the POS system.
Clothing chain Forever 21 has admitted a malware infection on its cash registers swiped customer payment card details for most of last year. The retailer issued a statement revealing that from how last year, from April 3 to November 18, hackers were able to harvest the payment card details from point of sale (POS) terminals in …
Any number of ways from physical access to a terminal, back office server, head office PC, plugging their own lappy into a live LAN socket in store (or weakly password-protected in-store Wi-Fi), infected website payload downloaded on the back office PC by staff at lunchtime etc
Mix together electronic payment processing and (often, but not necessarily in this case) elderly POS terminals running embedded/outdated/ne'er patched OSes and it's not long until something stinky cooks up.
Any number of ways from physical access to a terminal, back office server, head office PC, [...]
Not sure why you got downvoted for this – accurate answer to the question.
A few more questions pop up in my mind, though:
- Are there any penalties (fines) for losing card data (other than the risk of getting sued for damages by the victims, which AFAIK rarely succeeds unless you have actually lost money and have proof)?
- Is there any progress (or even intention) to move towards chip-based cards in the US to limit at least card-copying attacks?
- Isn't encryption mandatory by PCI DSS? What are the consequences for them if they "forgot" to turn it on?
Why were they downvoted?
"physical access to a terminal" - okay, fair enough.
"back office server" - storing plain-text credit card records? Strike one.
"head office PC" - storing plain-text credit card records? Strike two.
"plugging their own lappy into a live LAN socket in store"? No VLAN? No traffic encryption? No port-isolation? Strike three.
" (or weakly password-protected in-store Wi-Fi)" Strike four.
"infected website payload downloaded on the back office PC by staff at lunchtime etc" (See above)
None of those but literally access to a terminal should mean compromise. And even that means compromise of the terminal, no compromise of the entire system. Anything else is not only poorly-designed but not PCI-DSS compliant at all.
NOBODY - at any kind of office or otherwise - should be able to see the plain-text credit card data on their PC. From merchants to a central secured network with full encryption, which then submits to the bank over a similar encrypted channel, sure. But nobody should be using the credit card data itself (sales records and APPROVED/REFUSED are another matter entirely and should be on an entirely different system) at all except the bank. Hell, most of the retail-store systems you see just talk straight out to the bank over secured channels that the company has no control over.
That you can put ANYTHING on a POS network and have it sniff traffic, or compromise other ports, or do anything but talk over an encrypted channel to a bank is ridiculous. And certainly there should be no bog-standard office PC which has access to that data, even in theory for a large retail chain. Maybe a mom-and-pop shop, but they talk to the bank direct and the attack vectors are elsewhere in that case.
Honestly... just shouldn't be happening. And certainly shouldn't be CLOSE to a network that allows any kind of software update / attack / compromise of the system by a third-party. Their bank will have their ass on their PCI-DSS disclosures if that's even possible.
"Strike one....Strike four."
Well, yes, those don't have the card details or direct access to them, but they are legitimate ways into a company system. It doesn't matter how a miscreant gets in, but once they are inside, most bets are off. Internal security is usually much lower priority than external security.
"- Isn't encryption mandatory by PCI DSS? What are the consequences for them if they "forgot" to turn it on?"
If your PCI costs are a rounding error then you get cut off from the system until you pay for re-compliance and then get monitored and re-certified more frequently (at your own cost). If your PCI compliance payments and transactions costs are noticeable to the c-suite bonus grabbers, then you get a slap on the wrist and told not to be a naughty boy again.
Since taking over the POS software requires some knowledge of the hardware and software in question (so as to know just where to hack), odds are they're inside jobs conducted by contracted tecnicos or the like sent to service the machines or other back office stuff in the system.
Every card transaction is a potential exposure - and the banks want us to go contactless so they can cream off a percentage for every transaction - there'll be so many transactions on your statement nobody will ever be able to identify what is legit from fraud. Join me in the cash revolution and you too can avoid credit card fraud...
"Join me in the cash revolution and you too can avoid credit card fraud..."
I was thinking along the same lines, but then you get cashiers making change, and sometimes that is very entertaining/frustrating, depending on your mood.
A few weeks back I was due 77 cents in change on a purchase. The cashier pulled ten dimes, a nickel and two pennies. I asked her if I could get the three quarters (that bin was full in the cash drawer) and two pennies instead, and I could tell by the blank look on her face she wasn't able to compute that as the same value. Or the kid who told me two quarters was worth 30 cents "because two quarters in football is 30 minutes."
The small print by-line was "By Shaun Nichols in San Francisco"
Otherwise you have to read half of the story to realise that this is only in its American stores!
That could just be an American reporter who forgets the USA isn't the whole world, of course.
Still interesting, as a story. But not the same as reading that it happened in the UK/Worldwide for the non-Americans among us.
Because a quick search shows that it's not the first time this happens to them, and back then, almost 10 years ago, they were already PCI-compliant (which mandate that all credit card information MUST be encrypted):
I'd very much like to know the current state of their PCI compliance, and who audited them.
https://www.scmagazine.com/was-forever-21-wrongly-certified-pci-compliant/article/554996/
Be interesting to know exactly what the fraudsters got hold of, and what they tried to do with it...
There wouldn't have been PINs presumably (although these are sometimes used for US debit cards), so no cashing out at ATMs. Supposedly no cardholder names (so presumably no addresses either), so I'm guessing we're just talking about images of Track 2 data from cards. So probably just a matter of making counterfeit (mag stripe) cards and buying stuff. But this won't work for transactions that were originally chip.
I doubt you can do much fraud these days with just an account number and an expiry date... Well, except maybe by creating an account on Amazon and then buying whatever you want!
For many a year I have been told by retailers that they do not trust my cheques. To which the swift retort is that I don't trust their card machines. Yet another to add to the list of reasons why!
At present we eventually compromise on cash, but be aware they are working hard through organisations such as "The Payments Council" (made up of banks and big retailers alone) to marginalise cash in just the same way as they marginalised cheques.