iPad POS Security: The New Wave of Hacking and Credit Card Fraud

Background

A Point-of-Sale system (POS system) is typically recognized as any technology that conducts and records sales transactions, processes credit and debit cards, and manages inventory. Today, the most advanced POS systems allow for merchants to access real-time sales reports and analysis, manage inventory, track employee engagement, and provide real-time data of all in-store products within an online marketplace, all on one device. Directly corresponding to the POS industry, cybersecurity ranks highs on the agenda of top security experts in an age where the Internet and e-commerce industry are dominant forces in consumerism. Given this, POS systems have increasingly become the preferred targets of hackers due to rapidly growing malware software coupled with so-far unaddressed cybersecurity protocol and practices. As of 2014, 30% of POS systems still operate on a Windows-XP operating system, an elderly legacy system that is vulnerable to most hacks and security breaches. Any successful hack into a POS system can threaten the security of millions of users’ data, including pertinent credit card information, costing organizations enormous monetary losses and simultaneously damaging consumer brand perception (think 2013 Target breach.) Target POS Security Breach Any business, from mom-and-pop shops to multinational corporations, must first recognize and address issues of cybersecurity when implementing any new POS system. Using real-world examples of POS breaches and presenting a breakdown of common hacking methodologies that frequently plague POS systems, as well as a simple run-down of necessary POS security features, this publication will portray the importance of utilizing the latest POS technology in order to protect both the consumer and businesses’ information. iPad POS Security

POS Security Breach Situation

2013 marked the year of the “Retailer Data Breach.” Small retailers and massive corporations alike fell victim to malicious POS security attacks, resulting in negative publicity widely distributed across various media outlets. The 2014 Data Breach Investigations Report (DBIR) published by Verizon revealed a total of 198 incidents involving POS intrusions in 95 different countries. Restaurants, hotels, grocery stores, and various brick-and-mortar retailers were the most targeted for POS system intrusions.

Victims of POS Breaches in 2013:

  • Target
  • Subway
  • Kmart
  • Benny’s Pizza
  • Schnucks

Victims of POS Breaches in 2014:

  • Aaron Brothers
  • UPS Stores
  • Goodwill Industries International
  • Sally Beauty Supply
  • Splash Car Wash

The aforementioned businesses are just a small sampling of the numerous POS data breaches in recent years. These examples portray the very real cybersecurity vulnerabilities within organizations of all sizes. Despite the declining trend in POS intrusions, these security breaches induce detrimental harm on businesses, including direct financial losses. Merchants must account for these types of intrusions, with small businesses potentially facing dire consequences as severe as bankruptcy and closure. An article published by Retail Touch Points last year calculated to show that Target’s POS breach in 2013 cost the company $148 million in gross expenses. resulting in the company having to endure monetary damages that carried through to their second quarter of 2014. In light of the grave consequences resulting from POS-related crimes, businesses must first understand what the most effective security measures and standards are currently available and adamantly employ the necessary security measures in order to protect their POS systems. Chip and PIN Card The good news? With the compulsory mandate of Chip and PIN credit cards in the United States surfacing by the year end of 2015, POS-related security threats are expected to decline. In this regard, the U.S. has already been technologically trailing behind the majority of developed countries. This lag in credit and debit card security is directly correlated to the prevalence of identity theft currently plaguing the U.S. To cite an example, the United Kingdom’s introduction to standardized EMV technology (Europay, Mastercard and Visa) in 2004 resulted in credit card information theft dropping by 70 percent. This being said, despite the continuing adoption of EMV technology around the world, malicious hackers continue to develop new methods to work around any latest security measures. The reality is that it is almost impossible to prevent every single POS-related security breach. The most effective strategy to deploy against POS data breaches is to be proactive. This can ultimately be achieved through the adoption of the latest cybersecurity technology and by remaining astute and updated about any cyberattack methodologies that threaten the POS industry, points that we will be addressing in this paper below. iPad POS Security

Attack Methodology

To prevent hackers from breaching your POS systems, one must first understand the methodology behind the attacks. Securing any POS system appears daunting and intimidating from the perspective that the system is constantly moving large amounts of confidential data daily at an unprecedented pace. More so, hacking POS systems and accessing this data flow does not even require extensive hacking or computer skills. POS systems remain in an exposed location within the network; when processing and transmitting data within these networks, the systems are continually under threat from various external sources. The best defense against an opposing force is knowing and understanding their plan of attack. The cyber attacking process can be roughly divided into four part

  • Infiltration
  • Network Traversal
  • Data Capture
  • Exfiltration

Infiltration is the process of gaining unwarranted access to the system. This access comes from either an internal or external sources. An attack from within the system usually starts with an attacker distributing emails containing malware in the form of links or files, which commonly feature a fake icon or file name sent to individuals holding rightful accessibility to that system. This malicious link or file could then lead to a website which installs a backdoor program onto the system. For external attacks, cybercriminals capture a system’s password by entering a default manufacturer password, or by injecting a computer virus such as a SQL injection.

The second step of a cyber attack is network traversal. Invaders with access to the network can record and analyze information about the POS environment through the installation of hidden malicious files. The goal of the attacker is to obtain administrator access credentials that propagates future attacks, along with the acquisition of information propelling towards unwarranted access of other POS systems.

Following network traversal, the next step for the hacker is data capture. Network shifting tools, which enable malware to shift between different internal networks and databases, are rooted in the malware. In turn, the attacker can collect and accumulate unencrypted data when credit card payments are processed into the POS system. This malicious process continues pulling credit card data until the time of exfiltration.

Cybercriminals will prepare for the exfiltration after capturing the desired amount of data. Hackers use two primary methods to export the acquired data The first exfiltration method is File Transfer Protocol (FTP) which condenses the acquired data as a file and transfers it via remote management tools. Exfiltration by FTP remains highly threatful because the file containing the credit card information is extracted secretly and is nearly undetectable. The second exfiltration tactic utilizes Hypertext Transfer Protocol (HTTP). By targeting a staging server within the corporate network that has legitimate external access, cybercriminals can exfiltrate the obtained credit card data. Following the exfiltration, the invader may acquire credit card data through the internet without even provoking the attention of POS users.

Following the initial POS attack, cybercriminals can then commence any following invasions in accordance with previously discovered weaknesses in the respective POS network setup. Because of these loopholes, POS devices, network communication, and servers remain as major targets for hackers.

Three Levels of Hacks on POS Systems

iPad POS Security 1. Hacking POS Devices

Cybercriminals target POS devices because they have the most direct and tangible exposure to the public and more specifically, consumer purchases. In other words, cybercriminals can infect a POS device without even possessing advanced computer skills or a comprehensive deployment methodology, an invader need only approach the POS device to manually install malware. Despite most POS devices being under the safe-monitor of store employees, attackers can still disguise themselves and capitalize on an employees’ lack of attention to gain access to the POS system. Recent findings also reveal that malicious imitation POS devices were once circulated in the market. The specific operating processes surrounding malicious POS systems include malware that disguises as error reporting during credit card transactions and instead of the system truthfully rejecting the information, it records the secure information for later use

2. Hacking Network Communication

Hacking network communication among POS systems is another common strategy used by cybercriminals. This network-level attack aims at intercepting unencrypted data in the connection stage of a POS system. Here, routers – more commonly referred to as WiFi networks – become the main target of the attackers. The first method in breaching network communication is to identify the desktop access software. This is done through a preceding port scan in order for the hacker to figure out a specific method of attack. Another way to obtain network communication access is hacking a WiFi hotspot. With an open WiFi hotspot, attackers can simply conduct a data capture and exfiltrate the network due to openly provided access into the system. For a closed WiFi hotspot, though more difficult, attackers can still gain access by finding an open port on a switch and then adding their own WiFi access point.

3. Hacking Specific Servers

Attacks that target networks or servers are typically the most sophisticated of all, rewarding cybercriminals with the highest possible return. Server-level infiltrations not only provide access to a single device or network, but potentially open access to all POS systems under a particular server. The ultimate goal of the hacker is to obtain complete access to a user’s computer, which contains all pertinent credit card information. As described in the cyber attacking process, hackers start by infiltration, network traversal, data capture and lastly, exfiltration. For exfiltration, the unauthorized users have the choice between obtaining credit card data through database servers, or through all POS systems containing deployed malware within the particular network. Furthermore, the installation of an additional “backdoor program” gives cyber-attackers continual access upon discovery of the original malware.

Retailers’ Steps of Precautions: The Latest in POS System Security Measures

Bindo iPad POS System

1. The iPad POS

Despite the rapid advancement of cloud-based Point of Sale systems being run on tablets, most POS systems still run on outdated WindowsXP operating systems. Tech Republic, a leading digital technology publication, confirmed that legacy WindowsXP operating systems certainly expose most POS systems to higher security risks compared to alternatives. Although it is unfortunate that no operating system is 100 percent safe from cyber attacks, in terms of Point of Sale operating systems, Apple’s iOS is renowned for its second-to-none security measures, consistently outperforming most of all operating systems in that category. Security Researcher Brian Krebs remarked on Washington Post:

“An investigative series I’ve been writing about organized cyber crime gangs stealing millions of dollars from small to mid-sized businesses has generated more than a few responses from business owners who were concerned about how best to protect themselves from this type of fraud. The simplest, most cost-effective answer I know of? Don’t use Microsoft Windows when accessing your bank account online.”

Additionally, experienced Technology Editor of The Guardian Charles Arthur noted, “if you value your online security, you should welcome an iPad.” Some critics complain of the limited functionality of the iPad and that users cannot program directly on the tablet. Following this train of thought, Arthur believes the iPad is safer than PCs and general-purpose computers because of this very reason; with only modest computing capability, the iPad functions with fewer security holes and limited opportunities for breaches.
Based on security features alone, an iPad-based POS is indeed the optimal choice. The rationale for an iPad-based POS system is supported by a plethora of key attributes:

  • Sandbox – The Sandbox feature limits an application to its intended functionality. For example, an application cannot access files and resources beyond its initial and intended functionality, making it hard for malicious software to compromise a user’s system. Upon installation, iOS puts the installed application in the Sandbox. The secure partitions of the Sandbox bars any hacked application from infecting the remaining unaffected portions. With this in place, a hacked application on an iPad is limited to accessing any data on the POS system recorded within the tablet.
  • Code Signing – Apple imposes strict code signing requirements on application developers, which maintain high standards among individuals creating applications. Before creating a project, developers must obtain three code signing certificates from Apple: a development certificate, a distribution certificate, and a Developer ID certificate. These strict requirements maintain the utmost security standard for applications running on iOS.
  • Entitlement – Access by third-party apps to user information and features such as iCloud is controlled using declared entitlements. Entitlements are key value pairs that are signed in to an app and allow authentication beyond runtime factors. Since entitlements are digitally signed, they cannot be changed. This greatly reduces the potential for privilege escalation by a compromised system application.
  • Minimal security loopholes – Similar to Arthur’s explanation, less processing power means less security holes. The iPad is not like conventional computers which allow for easy installation of new and unknown third-party softwares pulled from the Internet. Additionally, individuals cannot program directly on the tablet. The iPad’s limited capability reduces the possibility for hackers to discover security loopholes.
  • Unitasking – The iPad only runs one software at a time. In case an application is unfortunately hacked – although very unlikely – the POS is still not breached by the attacker. This extra layer of security on iOS contributes to making an iPad-based POS system extraordinarily secure.

If the idea is for a device to primarily function as an iPad POS system, why purchase anything that would be vulnerable to security risks and unnecessary computing power if the intended use is for the Point-of-Sale.

2. End-to-end Encryption

Encryption transforms plain text data, such as PAN, to an incomprehensible form called ciphertext. End-to-end encryption ensures data encryption when information travels between the originating party and the recipient. With this method, sensitive data never travels in plain text between two parties, and only the unique recipient can decrypt the data, eliminating any interceptions by third parties. This security feature rules out the possibility for intermediaries such as internet providers, service providers, or hackers, to read, access and manipulate the content of the data. The data can only be decrypted with one or more cryptographic keys, which only merchants and the recipient party possess. The most effective method to ensure credit card security in a Point of Sale system is to encrypt the data to its fullest extent in expeditious fashion. The point of capture used to process payments for POS systems include magnetic-stripe reader, chip-and-pin processor, and card-not-present applications. Older POS legacy systems carry out the first encryption of credit card data at the POS terminal or POS server. To make matters worse, the first encryption may occur at the merchant’s central server, making the transition from the payment processor to the server highly vulnerable to a POS breach. Unfortunately, the POS systems used by the majority of U.S. merchants do not encrypt sensitive data upon capture therefore leaving major security loopholes for malware breaches. End-to-end encryption is arguably the most effective POS security measure at the moment. George Peabody, Principal Analyst of Mercator Advisory Group, describes end-to-end encryption as the “end-game recommendation of PCI (Payment Card Industry).”

3. Tokenization

End-to-end encryption with tokenization constitutes as a highly reliable protection for sensitive data. Tokenization is a technology that protects sensitive data by substituting a real credit card number with a token. Once a payment card transaction is authorized, the card data is sent and stored in an immensely secure server called a vault, temporarily securing the information for a selected time period. A random series of numbers (i.e. a token) is generated to replace the original card number. That token is then returned to the merchant’s POS system. If there is hack on a POS system where the credit card information is in transit, the data (in token form) remains incomprehensible and useless to cybercriminals. By way of not storing the real primary account number (PAN) and instead creating a piece of data that is worthless to potential attackers, the token stored in the vault can be used in future business applications as a substitute for the real card data for only that particular merchant. For instance, a customer can use his credit card for an online payment and authorize the online merchant to store his card information for future transactions. The credit card data is immediately tokenized and the token is stored in the merchant’s POS system. Upon the customer’s next purchase, the corresponding stored token will make use of the indexed credit card number. Thus, the customer’s credit card is safely kept by the merchant’s token service provider and is never in jeopardy of theft. If a merchant’s POS system is hacked and the data is stolen, only a series of random tokens are obtained by the criminal; these tokens have no monetary value to the hacker as only the specifically authorized merchant account can use the tokens for transactions. Implementing both end-to-end encryption with tokenization allows merchants to avoid storing sensitive card data in their POS systems. This security measure directly cuts the risky card data storage and greatly reduces the risk of data breach along with fees for security scans and annual PCI DSS assessments.

4. PCI Compliance

It is reasonable to assume that not every merchant is a security expert. The Payment Card Industry (PCI) Standards Security Council provides a set of PCI Data Security Standards (PCI-DSS) to help guide business owners towards safer POS security standards. Merchants can handily reference these guidelines when picking an appropriate POS system for their business. Though not 100 percent safe, PCI-compliant POS systems are surely more secure than non-compliant systems. The 2009 Data Breach Investigation Report published by Verizon reveals that 81% of institutions that endured payment card breaches among the Verizon caseload were non-PCI-compliant or had not been audited . Notably, merchants deploying non-PCI-compliant systems pay an estimated amount of “$200 per lost record to cover legal expenses and fines.” Therefore, it is imperative for merchants to purchase a POS system that is PCI-compliant.

EMV Chip and Pin Card

5. EMV Support

The Europay MasterCard Visa (EMV) chip card standard was first published in 1995. It gained widespread popularity in the U.S. after more than 130 million card numbers of card processor Heartland Payment Systems were stolen by hackers in 2009. Cards created in accordance to the EMV standard utilize an embedded microprocessor instead of the traditional magnetic stripe for storing data. This technology is believed to bring tremendous security enhancement to retailers, customers and banks. Visa’s Vice Chairman, Ellen Richey, delivered the following comment regarding EMV technology on Computerworld:

“EMV smartcards have all but eliminated cases of fraud involving counterfeit cards in the countries where the technology has been adopted. The same benefits will become available in the U.S. when the switch is made to EMV.”

The EMV standard recommends practical security features, including offline data authentication and intensive cardholder verification. Furthermore, a Chip and PIN approach is adopted for additional verification on the card holder’s identity. Under this approach, an individual only needs the chip and to enter a personal identification number (PIN) to make a transaction using a credit card. The cryptographic algorithms then provide authentication of the card to the processing terminal and the card issuer’s host system. The Chip and PIN approach is much safer than traditional credit cards that can jeopardize personal data that is otherwise easily disclosed, found, or replaced, such as the customer’s name or credit card number. Another merit of the Chip and PIN approach is the reduction in transaction time, avoiding the disseminating long list of personal data that needs to be processed every time.

6. Cloud-based system

Cloud technology is another vital security measure to consider in POS systems. Unlike traditional POS’, a cloud-based system is exempt from the threat of POS device hacks. All credit card and customer information is stored at the terminating machine, not on the individual iPad or other physical devices. Cloud-based POS systems are also impervious to Dexter-type viruses. Hackers commonly use these viruses to infect hundreds of POS systems across the world by utilizing its unique structure. Nonetheless, cloud-based systems encrypt credit card data after the card is swiped, resulting in a strong prevention of Barnes and Noble type hack (i.e. in 2012, hackers stole credit card information of customers who shopped at 63 different Barnes & Noble stores across the country. The hackers broke into the keypads in front of registers where customers swipe their credit cards and enter their PINs.)

7. Timely update and review

The greatest defense against breaches is not necessarily to implement every imaginable security measure on a POS system. Frequent updates and reviews are proven to be an effective method towards preventing cyber-attacks. In 2014 alone, cybercriminals conducted approximately 3000 cyber-attacks a day and stole more than 61 million records from retailers. Given this extraordinary figure that sits at the forefront of cybersecurity in the digital age of commerce and retail, it is pertinent for business owners of all sizes to give suitable attention to this matter. Another 2014 report published by McAfee indicates that the total amount of active malware has increased significantly in recent quarters.

The most popular example of POS system breaches is that of Target, one of the largest retailers in the U.S., when in 2013 it leaked over 40 million customer records containing debit and credit card information .The Target incident revealed several flaws on the POS cybersecurity system that is commonly overlooked by the majority of retailers. Drawing lessons from the Target breach, we know now that anti-virus detection is easily fooled when it comes to a slightly altered virus. The “new virus” is not found in the record of the databases and is consequently not detected. Even though Target’s security team was alerted of suspicious malware activity, they were not informed enough to take immediate action. The Target team in charge of cybersecurity failed in consistently walling off sensitive data and removing the default accounts of unused POS devices, resulting finally in one of the most major breaches in POS security.

Only a POS system with the most up-to-date security can have the ability to safeguard a business from the ever-changing and incessant attacks of cybercriminals. POS systems with timely security updates and checks rank as one of the most effective defenses against breaches and data theft. 2015 marks another year of technology growth coupled with the increase of malware and cybersecurity breaches. It is imperative that merchants begin to adopt a POS security system that creates the fewest opportunities for hackers and theft. iPad POS Security

Why Bindo?

Bindo was proudly founded in 2013 in New York City. The company is dedicated to providing local businesses with continual growth by generating brick-and-mortar sales. Additionally Bindo brings an offline-to-online digital marketplace that allows customers to shop online for products carried by stores in their own local neighborhoods. Bindo’s cloud-based POS system boasts an intuitive cash register integrated for cash, credit card, debit card, gift card, and check payments.

Running on the iPad, Bindo features intelligent inventory management, remote store management, and diverse business reports, a customizable rewards system, along with friendly 24/7 phone and email support. In light of past credit card fraud in the U.S., Bindo is PCI-compliant and maintains the highest aforementioned security measures, such as end-to-end encryption, tokenization, EMV support and cloud-based data storage. Bindo’s iPad POS operates on the iPad’s latest iOS and provides free monthly system updates and improvements. Visit https://bindopos.com/ for more details.

Have any questions or feedback on your own experiences with POS Security? Let us know in the comments! 

Image Credits: Target Press Room, hin255/Shutterstock, Petr Kopka/Shutterstock, Jane Kelly/Shutterstock

SHARE THIS: Share on FacebookTweet about this on TwitterGoogle+Share on LinkedInEmail to someone