Re: What is the attack vector ?
What is the attack vector ?
More generally, whatever is the weakest link. It could be open media drives on terminals, it could be the corporate network for the store (ie, your choice of phishing, zero days, SQL injection, corruption, fraud, or access via third party systems, you name it). It could be physical interference with the card reader or terminal by the bogus maintenance guy, disaffected employees. And if the hardware spec is sufficiently inadequate, then simply connecting a poisoned USB drive whilst nobody is looking could be sufficient, taking all of five seconds (because nobody thought to remove or physically disable all the USB ports on a vanilla PC chassis).
A big part of the problem is that many EPOS are a complete POS. So running an outdated OS, or a newer but unpatched OS, or actually written in some bugware like Java. The EPOS software supply chain is very similar to the ERP software supply chain - so more than a few are snowball acquisition outfits, where the original coders and designers have long since left, the IP has been sold several times over, and there's no real knowledge of the software. Nobody dares touch it in case it falls over, and nobody really cares about data security because that's the customer's problem.
And all of that is before you look at the founders and directors of some of the EPOS companies - a search on the words fraud, conviction, Retail J, Lucas EPOS, Torex, XN Checkout, will pull up sufficient to get the gist of this, but in my view there's more, affecting more companies and systems.