Recently, we assessed two point-of-sale (POS) systems for clients in different industries – Retail and Restaurants. POS systems are the latest and greatest hacking target taking place around the nation. In the last couple of years, we’ve read a lot about big organizations being hacked and credit card information stolen. In these instances, terminals from the POS machines were compromised and they provided confidential financial information to data thieves.
Even though these major hacking events have been publicized, credit cards are still being swiped throughout the day at grocery stores, department stores and restaurants. Without any concern, consumers hand over credit cards or debit cards to clerks and servers, unaware of the potential hazards this may cause. It is ultimately the businesses, however, that need to ensure their POS machines are secure and using the latest software.
While there are many articles outlining how the malware operates, this blog will be covering the physical security of the POS devices and how thieves can gain access. I’ll be demonstrating this through two different case studies: the first focuses on retail POS machines, while the second will cover restaurant POS machines.
Case Study #1: Retail POS System
The POS machine hardware:
The first case study is a retail POS system. These can be found in retailers of all sizes. In a typical transaction, cards are swiped and returned to the customer or swiped in conjunction with a PIN pad. Figure 1 below is a picture of what you generally see in a retail store. This particular unit was in place for multiple years at a retail location. The unit runs an embedded version of Windows XP and is “locked down” with kiosk software for transactions.
Inspecting the unit, you’ll find the keyboard includes a magnetic strip reader, as shown below in figure 2. This is connected via USB to the computer and, permits clear text transmission of both keyboard commands and the credit card to the kiosk software.
This particular unit is also outfitted with a separate magnetic strip and PIN reader, demonstrated in figure 3. The reader doesn’t use USB, but a standard serial connector.
Looking at the rear of the device in figure 4, it has a USB keyboard, as well as the serial connected magnetic strip/PIN reader.
Accessing the POS machine
Now to gain access to the machine. My first attempt was to reboot the device to gain access to the BIOS to rearrange the boot order. This was restricted via a password as shown in figure 5, requiring physical access to the motherboard to clear the BIOS settings. Kudos for having this in place! Now for my next attempt.
Unfortunately or fortunately for me (or a hacker), the USB ports are accessible on the unit (see figure 6 below), allowing a malicious user to plug in any device and upload malware to the unit.
But how would they upload the malware without access to the USB? Very easily — by a very old fashioned Ctrl+Alt+Del reboot and then entering safe mode with the F8 key at start-up, as shown below in figure 7.
The kiosk software is now bypassed, and access to the USB drive is permitted. From here, anyone — an attacker, disgruntled employee, etc. — could install malware and reboot the device; unbeknownst to the company or customer.
Case Study #2: Restaurant Chain POS system
The POS machine hardware:
Virtually all chain restaurants use the same type of hardware and software, coming from only a handful of vendors. The terminals run either Windows 7 or in most cases, Windows XP. As shown in figure 8, the undersides of the POS system terminals have exposed USB ports that are not disabled. Making this a much easier target for an attacker.
Accessing the POS machine
Pressing Alt+Tab gets you to the Windows desktop, where you can swipe credit cards using the USB magnetic strip reader. In this machine, there is no need for a password. Making my attempt to gain access much easier.
Once inside the machine, I can open notepad and swipe any card. Virtually all embedded card scanners work in clear text, emulating a keyboard. For this machine, the card data is fact clear text, as shown in figure 9, making it even easier on me to take the data I need.
Now that I’ve gained access to the machine, I am able to extract any RAW data on the fly with Wireshark or a specially crafted malware designed to steal card information on the fly.
If you want to install this malware, there isn’t much to stop you. Most POS systems aren’t managed, and they run severely outdated versions of Windows. As you can see if Figure 10, this particular device had not been updated in six months.
Even worse, in this machine, the kiosk software requires Java 6, which has been deprecated for some time and has countless vulnerabilities and exploits. Attempting to update it would break the POS software, preventing the restaurant from operating.
What can Restaurants and Retailers do to avoid a POS compromise?
As you can see from these two examples, POS attacks require very little expertise to compromise. A disgruntled employee who is offered a few hundred dollars from an unsavory character to plug a device into the computer and click ‘go,’ wouldn’t have anything stopping them. Clearing houses operate by stealing credit card numbers on the fly, similar to the notepad example above. Hackers could steal hundreds, if not thousands of cards by propagating their malware through the POS network.
Seven key steps to securing POS machines
- Keep your operating system patched and current
- Install metal plates with special screws over USB ports to prevent easy access
- Lock the BIOS with a unique password
- Prevent changing the boot sequence from the hard drive
- Have an industry preferred A/V software installed and centrally managed
- Have an IDS in place and be actively monitoring for outbound connections to POS malware domains
- Deploy security cameras aimed at POS terminals and management devices to assist with detecting illegitimate access and modification
With these steps, you can increase the level of difficulty to compromise your network and customer credit card data. While there are no blanket solutions that will guarantee security, increasing the effort and risk to compromise a POS system will entice thieves to move on to easier targets.
Remember, protecting POS systems is a 24/7 endeavor. The better protected the POS systems are, the more likely they will not be breached.