But it is of course, my fault
according to the banks, when my account is emptied...
Crooks are infecting sales registers running Oracle-owned MICROS software with malware tailor-fitted to steal bank card information from the machines. MalumPoS scrapes sensitive data from the RAM inside the tills, which are used in places from shops and restaurants to hotels and bars. The software nasty can be easily modified …
"POSes have several strikes against them. They are often running on out-of-date, unpatched platforms (such as Windows XP)"
Hmmm.
Who can remind this gentleman what the End of Support date is for Windows XP Point of Sale Edition, which is perhaps the obvious Windows XP for use in a PoS device (used in ~80% of PoS systems, I've heard)? Hint: it hasn't happened yet. Try 2019.
There even seems to be a one-word registry edit in widespread circulation since just over a year ago which turns your ordinary XP into POS XP from the point of view of continuing to get the updates:
http://www.theregister.co.uk/2014/05/26/german_tinkerer_gets_around_xpocalypse/
This Beardsley bloke may have some fair generic points to make but he may not be the "expert" he would like us to think he is.
This post has been deleted by its author
If you can back up you claim of 80% usage then you have somewhat valid points.
I'm working in fast food industry and with thousands of POS systems. We still have some Windows98 systems, and plenty of XP Pro, WEPOS and Windows 7 systems. (The last few Win95 systems were retired last year or so. Can't say I miss those Pentium MMX systems... :-)
The scales are already tipped to the Win7 since the business is expanding and old systems are updated when they break or the shop is renovated.
PosReady 2009 (XP) you are referring to is supported until 2019 but it didn't really offer anything new over WEPOS and I believe (don't know for sure) most businesses skipped it since people like to KISS. WEPOS is of course still supported until next year.
The POS systems I administer are not actually updated at all, and the EOL date for XP didn't concern us one bit. It was actually some 3rd party software libraries for EMV payment processing that required us to replace the Win95 systems. POS systems are expensive so old systems aren't replaced on a whim.
This Beardsley bloke may have some fair generic points to make but he may not be the "expert" he would like us to think he is.
The POS registry hack doesn't fix everything and I can't recommend it anyway.
Check the comments for the article you referenced, especially this well articulated one:
'The other issue is that the patches (a) will not cover XP components that aren't in the embedded OS, (b) may or may not work in any event. The result of this could be the worst possible scenario from a security standpoint: an insecure machine that customers mistakenly believe IS secure and trusted. "The only thing worse than no security is false security", and all that.'
"If you can back up you claim of 80% usage"
I can't. It came from some Microsoft PoS report or other. Sorry. If I remember, I'll post. Any PoS vendor basing product on full-fat Windows (and paying for it) is presumably missing a money-saving trick though, so I'd be surprised if the figure wasn't very substantial even if it's not 80%.
"The POS registry hack doesn't fix everything"
"the patches (a) will not cover XP components that aren't in the embedded OS"
Can you be more specific? E,g. examples of what it doesn't fix? [I wonder if there is some naming confusion here; it wouldn't be difficult, given that there's XP classic, XP Embedded, and Windows POSready, which are all basically the same OS with subtle differences in configuration and big differences in licensing, ref 1, 2, 3]
"the patches (a) will not cover XP components that aren't in the embedded OS"
Examples welcome (I acknowledge these are Bill de Haan's words, not your words).
While everyone's looking (or not), here are a couple of references that say there are few functional differences between XP Pro and XP Posready (e.g. POSready doesn't have the games, MovieMaker, or Outlook Express, ref 3).
"the patches (b) may or may not work in any event. "
Same as any other Patch Tuesday then. Mostly they work. Sometimes they don't.
NB I am not suggesting that this registry hack is a good idea for Joe Public.
I am suggesting that a company (and its media representatives) which intentionally misleads its customers ought to be ashamed of itself. Naive or what?
Telling customers that patches are no longer developed when they clearly are would appear to be a mis-statement.
Thanks for the opportunity.
1: http://www.msembedded.biz/en/embedded-software/windows-embedded-posready-2009/posready-vs-xp-pro/
2: https://technet.microsoft.com/en-us/library/ee406170%28v=winembedded.0%29.aspx
3: http://go.microsoft.com/fwlink/?LinkId=159099
[resubmitted after previously being approved and then vanishing without trace]
"If you can back up you claim of 80% usage"
I can't. It came from some Microsoft PoS report or other. Sorry. If I remember, I'll post. Any PoS vendor basing product on full-fat Windows (and paying for it) is presumably missing a money-saving trick though, so I'd be surprised if the figure wasn't very substantial even if it's not 80%.
"The POS registry hack doesn't fix everything"
"the patches (a) will not cover XP components that aren't in the embedded OS"
Can you be more specific? E,g. examples of what it doesn't fix? [I wonder if there is some naming confusion here; it wouldn't be difficult, given that there's XP classic, XP Embedded, and Windows POSready, which are all basically the same OS with subtle differences in configuration and big differences in licensing, ref 1, 2, 3]
"the patches (a) will not cover XP components that aren't in the embedded OS"
Examples welcome (I acknowledge these are Bill de Haan's words, not your words).
While everyone's looking (or not), here are a couple of references that say there are few functional differences between XP Pro and XP Posready (e.g. POSready doesn't have the games, MovieMaker, or Outlook Express, ref 3).
"the patches (b) may or may not work in any event. "
Same as any other Patch Tuesday then. Mostly they work. Sometimes they don't.
NB I am not suggesting that this registry hack is a good idea for Joe Public.
I am suggesting that a company (and its media representatives) which intentionally misleads its customers ought to be ashamed of itself. Naive or what?
Telling customers that patches are no longer developed for XP is clearly a mis-statement.
Thanks for the opportunity.
1: http://www.msembedded.biz/en/embedded-software/windows-embedded-posready-2009/posready-vs-xp-pro/
2: https://technet.microsoft.com/en-us/library/ee406170%28v=winembedded.0%29.aspx
3: http://go.microsoft.com/fwlink/?LinkId=159099
Use ApplePay or some similar scheme, where no information that the PoS receives can be used to get more money out of a card.
Although a PoS that is completely under control of a hacker might make payments from the customer to the hacker, instead of customer to merchant. But that would be a problem for the merchant, not the customer, so even then ApplePay would be safe for the customer, and wouldn't be the cause of the problem for the merchant.
Or if its for a small amount, just use cash. Oh wait, corporations want us to move away from cash so they can track us, errr, I mean because its so much more convenient for us to use electronic systems. And of course the useful idiots in the tech industry are helping them along in this. Notice how many shops now have card only self service tills in the UK? Soon it'll be all of them, there'll be no humans behind any tills and if you want to pay by cash you'll probably have to go to a special counter round the back, do an iris and fingerprint scan to make sure you're not on a terrorist list and give 2 forms of identification. Think I'm kidding? Lets wait 20 years and see.
Using ApplePay or Google Wallet or whatever would have at least two upsides:
1 if the bad guys divert the payment to themselves, there's at least some chance that the diversion can be tracked, leading to them. (It depends on how the money was diverted and how quickly someone noticed.)
2 the lack of incoming funds should quickly alert management, and should (depending on how bright management is. Oh. Wait. Errmm...) result in someone taking active measures to improve security. (Well, it could happen... Money talks. Loudly.)
Yes, but I'm guessing you do someting computery for a living and don't manage a retail outlet. If you are going to hide computers in places ordinary people don't expect to find them, you had better make them bulletproof.
The fault here is 100% the vendor for selling insecure cash registers (which is what the uncognoscenti call them).
Can't wait until the fucktard revolution makes my light bulbs and air conditioner open to similar attacks because, you know, what would a lightbulb be sans internet connectivity?
My comment was referring to the front page picture El Reg used to illustrate the story (not carried over to the story itself, so when the story was dropped from headline status the picture disappeared with it - thanks El Reg!) which was a close-up of a PCB containing 1980s vintage AM9016s, if I remember correctly, which were drop-in replacements for the MK4116 chips typically used on CGA cards.
Is that how they did it !
And guess what ? They put one single lone guy to the task to track down the Bulgarians who did it.
Says it all while the NSA are concentrating on spying on their own population they leave the country exposed to cyber attacks and all that black hat firepower can't even thwart them. National security my ass. Cyber security is a national security risk obviously.
This is down to a few things.
Windows XP. POS systems connected to other windows systems on the network and not isolated. Surely there has to be a way to fully isolate everything and should never be connected to other windows machines on a LAN !
they are rarely audited and maintained by dedicated IT security staff, and configurations are often in the default state, including default administrator passwords," he added.
Even in those instances where it isn't the default state, there tends to be a problem with homogenous deployments. For example, in each store the first register is POS01, the second is POS02, etc. So once you've cracked one store all the rest in the chain follow. I was talking with a friend who is part of the dedicated support team for one franchise here in the US. For various reasons that's exactly the way they have to deploy the hardware. Right now they use Windows Update to try to secure stuff. But you have the standard SME problems. Often times the only "real" computer in the store is the one that is also acting as the server for the POS system. So it of course has full browser capabilities and possibly more than one browser installed. He didn't think they had issues with needing to support Java/Flash/Reader but it's still a bit of a mess and difficult to automate reporting in such a way that you can easily audit patching. And yes, they're still running XP while waiting for the vendor to release a Win 7 edition and dreading how the vendor is going to royally fuck it up even though they know they need it. I think he supports about 300 POS terminals across 60 or so stores, team size is 3 and it's nearly 24/7/365 support expectations.