Saturday, October 11, 2014

POS as a Data Theft Target

The pattern of data leaks this year shows that criminal groups looking for transaction data are finding more weakness in POS systems than anywhere else. POS systems operate at the point of sale, which you might think of as a cash register, and connect it to the data center where transactions are processed. There are software weaknesses in POS systems when compared to online stores, but the operation of these systems seems to be the bigger issue.

But first, the scale of the problem is larger than most people realize. Most of the headlines mention the largest data leaks, as measured by the number of people affected. These mostly occur at the national retail chains. These are some of the large U.S. retailers where transaction data was leaked:

  • Target
  • Home Depot (stores in Canada also affected)
  • Michaels (crafts)
  • Neiman Marcus
  • Kmart
  • Sally Beauty
  • Goodwill Industries (20 regions)

Grocery chains are also affected, including:

  • Albertsons
  • Jewel-Osco
  • Supervalu
  • Acme
  • Cub Foods

Leaks affect a far greater number of restaurant chains, more than 100 in one incident alone this year. A few of the high-profile restaurants affected are:

  • Dairy Queen
  • P.F. Chang’s
  • Jimmy John’s
  • Lost Pizza

The list goes on. Hospitals, parking garages, basically any operation with multiple locations that accept card payments is at risk.

No one should imagine that transaction data leaks are limited to those reported in the news. That would be logically impossible, when you consider that there is a delay, usually of two or three months, sometimes shorter but sometimes much longer, between the opening of a data leak and the time it is discovered, understood, and reported to the public. There certainly are more incidents in the process of being discovered. There are also others that escaped detection completely, and more going on now that will not be discovered either because the retailers are not looking very hard or lack the advanced skills to detect the server malware involved, or because the malware is designed to erase itself quickly, before it can be identified. The actual scale of data leaks must be at least 20 times more than what has been reported.

Transaction data security seems so hopeless that Publix Super Markets Inc., not yet a victim of a known data leak, is seeking public relations advice for a data leak that seems more likely than not to happen.

That’s the scale of the problem. So why is the point of sale such an easy target for criminals? It is not really the point of sale itself that is the weakness, but the multiple physical locations involved that make POS transactions hard to secure. Consider that there haven’t been nearly so many data leaks at retailers that have a single store, never mind the smaller scale involved. A single physical location means the people in charge of data security are onsite. The data still has to travel over a network, but unlike the Internet or any WAN (a physically large network), the entire network can be seen and studied by the people on the inside, while being physically protected, to a degree, from the world outside. (Of course, a retailer can give up this advantage through careless outsourcing of its POS operations.)

With multiple stores, data security depends on the actions of whoever is onsite, which usually means someone who is not effectively trained in the finer points of network security. I have heard of cases where it was the store manager or restaurant manager who was tasked with getting the data network installed, with equipment that arrived in a small pile of boxes along with a few pages of written instructions. Companies that can’t afford to hire specialists for such sensitive work also can’t afford to provide training to their staff members who must fill in the gaps. That’s not an approach that inspires any confidence.

One common scenario that security experts complain about is that POS terminals (cash registers) are shipped to retail locations with default passwords already installed. The store manager is supposed to change these passwords before operating the terminals, but as you might guess, this often doesn’t happen. These default passwords are simple phrases that are not that hard to guess in a brute-force attack, and once intruders know a default password, they can break into multiple locations quickly, providing multiple entry points to the POS network.

That is just one scenario exploiting one weakness. Compounding that weakness and others like it, most POS terminals are general-purpose computers running wide-open operating systems such as Linux and Windows Vista, allowing arbitrary software to be installed remotely by anyone who has the right password. Further expanding the range of possible exploits, POS terminals in most cases are plugged directly into the Internet, protected only by an off-the-shelf firewall — another design choice that security experts moan about.

By now it ought to be possible to design POS terminals that have all software installed at the factory or data center so that it is impossible to change the software while the machine is deployed. Such machines would cost less to manufacture and would be smaller and easier to deploy. The technology required isn’t really a mystery — a POS terminal is not really the equivalent of a smart phone, but closer to the equivalent of a dumb phone from about 15 years ago.

Without going into further detail, solutions are certainly possible, but don’t hold your breath waiting for retail chains or banks to take action. For now, if you use your credit card at any retail establishment that has multiple locations, you should consider that your transaction data may be captured in real time by shadowy criminal groups somewhere in the world. As Consumerist puts it, “Do You Ever Shop Anywhere? Congratulations: Your Data Will Be Hacked.” Besides the personal risks, the card transaction network as a whole is at risk. As I have cautioned before, on any given day without warning, the transaction networks could be hit with a pattern of fraudulent transactions so vast that they are forced to shut down. If that happened this morning, you probably would not be able to use your credit or debit card for a few months, and one or two of the major credit card banks, not to mention some of the more troubled retail and restaurant chains, could go under while the problem is being sorted out.

It is not enough, then, to accept that your personal transaction data is at risk whenever you use your cards. The whole system is at risk. It is important to have some cash on hand and a balance in a checking account so that you can carry on even if, one day, the card network cannot.