This week an employee at Hewlett-Packard Company (HP), Matt Oh, published a post on the HP Security Research Blog titled “Hacking POS Terminal for Fun and Non-profit” which reviewed the security of a used Aloha Point of Sale (POS) terminal purchased from eBay®. The dates noted, the functions highlighted, and applications referenced tell me that this is a very old system that NCR no longer sells, and that it was not maintained through NCR or an authorized reseller. Although not obvious, the article serves as a time machine for the POS industry, providing the reader a look back at technology and industry practices, to a time when more merchants used dial-up credit processing or dedicated networks. Keep in mind that airbags in cars were not the norm when the first Aloha POS was installed, and like cars the POS has evolved over the years to provide more and more security and protection. The security and safety of one’s business is critically important. POS buyers should ensure they are using modern solutions which are fully supported and maintained to provide protection against today’s threats. Criminals continue to use the latest technology, thus businesses must respond to stay safe. Gambling with a purchase on eBay for costume jewelry, collectable home goods, or personal electronics is much different than gambling with the heart of your business on an outdated and unmanaged POS.
Not all POS Systems are the Same
Did you know that the U.S. Fire Administration (USFA), part of the Department of Homeland Security, recommends you replace your home smoke alarms every 8 to 10 years? Yes, the whole unit which is mounted to your ceiling. That’s the life span of the technology inside. Did you know that the Apple iPad® just turned 4 earlier this year? Did you also know that Apple is no longer supporting the first generation with OS upgrades? The latest iOS does not work on the original iPad. Moore’s Law, which observed that the number of transistors (and thus computing capacity) double every two years, continues to hold true 49 years later, despite some skeptics. As such, technology has a finite window of utility, and this includes point of sale systems. The differences between a new POS solution and one that is a few years old can be tremendous, especially when it comes to features and security. If you do not maintain and upgrade your solution over time it will quickly fall out-of-date and to the back of the pack from a technology and security perspective. And as we know from “the lion & the gazelle” fable, at the back of the pack is not where you want to be.
Examination of Mr. Oh’s Findings
The blog post examines a single POS terminal outside its normal environment as noted by Mr. Oh. Missing from the review are several layers of protection that should exist in a live restaurant. In a live environment, there should be layers of security provided by a commercial grade firewall, a segmented dedicated network, network antivirus, intrusion detection and prevention systems (IDS/IPS), antivirus and/or whitelisting malware prevention, and an administered operating system, all of which work together to provide a secure POS solution. So some of the weaknesses highlighted in the blog post must be taken in the context that much of the solution is missing from the review regardless of the age of the system.
The port scans conducted show that additional third party software had been added to the POS. Tools like VNC are sometimes used by merchants and third parties to provide support services or to extend the functionality of the system, by giving Front of House (FOH) access to the Back of House (BOH), but if not properly configured and managed these tools can become a point of weakness in the environment and a point of attack for data thieves. Use of poor credentials and easy-to-guess passwords are signs of an unmanaged system, as is unfettered desktop access. NCR developed a solution called Command Center (CMC) years ago to provide secure remote access with two-factor authentication and controlled access, so that our customers do not have to rely on hard-to-maintain, cumbersome, weaker and less secure options.
The lack of security updates is another sign of an unmanaged system. Keeping your software up-to-date with the latest security patches is critically important. Be it the operating system, the POS software, or supporting components such as Adobe Reader, business owners must keep their systems updated to ensure they are protected from criminal attacks. Criminal hackers learn quickly how to exploit vulnerabilities in software once published. This is the core reason for PCI DSS Requirement 6: Develop and maintain secure systems and applications.
The presence of personal identifiable information (PII) is yet another sign of an outdated and unmanaged system. Solutions purchased and managed through NCR or authorized resellers are configured to protect sensitive data, and tools and policies are used to securely clean data once it is no longer needed for business purposes. Protection of personal identifiable information (PII), credit card data, and other sensitive information is critically important. NCR’s current solutions provide layers of protection that include strong encryption where it is needed most.
Credit cards are vulnerable by their design. The data on the back of a credit card, encoded on the magnetic stripe, must pass through any POS system’s memory, which means if a criminal hacker can gain administrative rights to your machine…well they have you. The design of magnetic stripe reader (MSR) payments, which is used in the U.S. currently, is over 30 years old. Its successor, EMV, which is the dominate solution in Europe and the direction the card brands are moving in the U.S., is over 16 years old. Neither design conceived of the technology advances that would follow. Highly available high speed internet access with remote connections around the world has completely changed the paradigm of payments. Credit cards have become the world’s currency, and they have less protection than a traditional U.S. dollar bill when it comes to counterfeiting. Only industry solutions like mobile payments and point-to-point encryption (P2PE) – and well “cash” – can remove credit card data completely from the POS environment. If a business owner accepts credit cards for payment, then they need to use modern solutions that are designed to address today’s challenges, not those of the previous three decades.
I want to thank Mr. Oh for his review and blog post, as well as his colleague Slava Gomzin for his new book “Hacking Point of Sale: Payment Application Secrets, Threats, and Solutions”. Both help shed light on problems within the payments industry and common mistakes that are made with implementation of free Wi-Fi and other initiatives. Now more than ever before, business owners should seek professional help when introducing information technology (IT) into their environments, as the complexity of the threats they face is at an all-time high. Otherwise, using out-of-date systems may lead to a criminal hacking your POS terminal for fun and for their profit.
Written by: John Pearson, Director of Security & Compliance, NCR Corporation
John has held several leadership positions over his 20 year career in the software industry. In his current role, he leads a team focused on the security and compliance of a diverse product suite which spans markets across the globe, serving some of the biggest names within Hospitality, Food & Beverage, and Sports & Entertainment. In prior roles, John has led a global customer support center and had a strong engineering presence leading product development and software architecture for global development teams. John attended Texas A&M University and Tarleton State, and has a B.S. in Computer Information Systems.Share