Preventing retail hacks with some commonsense

March 1, 2013
POS systems prove to be a hacker’s paradise when raiding unprotected data

It was truly the stuff of a bad Hollywood crime movie. Eastern European criminals hack into an unsuspecting high-profile business stealing valuable information and creating havoc for their victim. But in the end, a sloppy trail of unsophisticated maneuvers leads to the thieves’ downfall and provides a costly life lesson for the corporate patsy.

When four Romanian hackers compromised the credit card data of more than 80,000 U.S. customers and used the data to make millions of dollars in unauthorized purchases, they were certainly looking for a better deal than a Subway $5 foot-long sandwich. Their successful caper saw them hack the credit card information of 150 Subway restaurants, along with another 50 unnamed retailers.

And according to security experts who were involved in tracking the case, it would be a laughable situation if were not a dangerously common occurrence.

The four accused hackers raided more than 200 point-of-sale (POS) systems from 2008 until May of 2011. The crime was relatively simple. Systems were hacked in order to install a keystroke logger and other sniffing software that could steal customer credit card, debit and gift-card numbers. They also placed backdoors on their victim’s systems to provide constant access to future transactions.

Their method was also fairly low tech. They apparently used cadres of IP addresses they obtained from common remote desktop software applications then logged onto the POS systems that were targeted by guessing passwords or using password-cracking software.

According to POS security expert Alex Balan, it’s a hacker’s paradise in the world of retail. Balan, who is the head of product management at BullGuard, a network security vendor, confides that there is a search engine available on the web that provides lists of IP addresses for edge devices like video surveillance cameras and SCADA devices worldwide. “It will also give you prompts for potential user names and passwords,” he says. “But sadly enough, you can usually access the management interface with a simple admin password.”

One of the more sensational POS hacks occurred last fall when 63 Barnes & Noble bookstores in nine states were infiltrated. The chain immediately removed the compromised credit card readers during the investigation, but did not notify its customers after the Justice Department requested them to keep the matter under wraps until the FBI’s investigation was underway.

Barnes & Noble has not disclosed how much the hackers garnered from the fraudulent transactions, although card issuers were notified following the breach

Unlike the Subway incident, Barnes & Noble didn’t disclose how the hack occurred, but most security experts figure it was done in similar fashion as the Romanian caper.

“The fault doesn’t lie with Subway alone but with the companies that deployed those POS devices to them. What happened with Subway was done not by very sophisticated hackers,” admits Balan. “They had no knowledge of programming or hacking. They just scanned whole blocks of IP addresses for windows machines that could have been accessed from remote desktop protocols.”

In a recent interview in ARS Technica, Dave Marcus, director of security research and communications for McAfee Labs, echoed Balan when he said the tools used in the Subway crime are widely available on the internet for anyone willing to risk getting caught. He adds that few small retail businesses are equipped to handle such attacks because of poor security practices and reliance on consumer-level off-the-shelf security software.

"This is the crime of the future," Marcus says. “Instead of coming in with guns and robbing the till, criminals can target small businesses, root them from across the planet, and steal digitally."

Part of the problem is that many small merchants neglect to assign passwords to users, instead leaving them blank. Others rely on vendor-supplied, shared and/or weak credentials, and many neglect to mandate frequent password changes, as well as allowing easy access to in-store internet connection to both employees and customers.

Balan tells a story of sitting in the local coffee shop near his home that offered free wireless and finding that its internet connection is totally exposed to the public. This was bad enough, until he noticed them using this same computer for its POS transactions.

Balan advises that small retailers take three easy steps to help ensure their POS systems security. First, he says you must segment the network. “In the case of Subway, they had a Windows-based OS processing the transactions and those machines were also connected to the internet. No POS should ever talk to any source other than the bank.—period!”

He instructs that retailers should also have defined policy and procedures as they relate to POS protocols, and finally there must be a no-nonsense application of who is able to access resources related to transactions and when.

“Whether your network is in-house or out-sourced, every retail environment should have someone accountable for security issues. If it is a contracted POS vendor, then that vendor should outline specific and strict boundaries on how to use and manage those solutions,” Balan concludes.