DecryptedTech

Friday19 August 2022

PoS systems are the new compromise cash cow...


Reading time is around minutes.

The Point of Sale (PoS) station is probably one of the most targeted devices in recent years. There are multiple reasons for this: older operating systems, the need to POS users to have admin rights, generic logons for the “windows” accounts, and more. Most PoS softare is very resistant to attempts to properly secure it including getting all sorts of bent out of shape when you try to apply restrictive security policies to them. I have even seen them stop working because the removable drive mount option is removed from USB ports using a group policy object.

There has been a string of malware written to target the PoS and the guys at Cisco have now found another one. Dubbed PoSeidon this new malware does all of the nasty things you might think it does. It can skim card numbers from memory, log key strokes and then send them all out to a server for the bad guys to put to use. PoSeidon also has a few tricks to hide itself from detection making it one of the more nasty types of malware.

According to Cisco’s researchers this type of malware will continue to be a big push as the target environment it too rich to avoid. Even with PCI (Payment Card Industry) requirements far too many companies file business requirement exclusions to get around doing what they are really supposed to do. There is also the small problem what many malware developers are very familiar with the tools and utilities that are used to detect and remove their malware. This means that it is possible to get around common detection and removal methods even with the latest and greatest the security market has to offer.

In the end a multi-vendor, multi-layer defense is what will make a difference. Putting your PoS systems into a very controlled sandbox with traffic monitoring, application monitoring and frequent malware scans will help to reduce the risk of them becoming playgrounds for the bad guys. Application monitoring is even more important as it lets you know if/when anything changes in the environment. When malware is inserted there are, by necessity, changes made to the OS and PoS system.

Alerting on ANY environment changes will give you a heads up to potential compromise. By monitoring traffic and only allowing communication to a specific set of systems (preferably internal only) you can prevent access to PoS terminals from the outside world and also make sure that no one is using them to browse the open internet. This also prevents direct contact compromise from working as the network filters prevent the information from getting back out to the control servers and should alert you to the suspicious traffic. Malware scanning… well you know what that does.

Now all we need is for companies to recognize the needs for these product and for vendors to understand that multi-vendor environments ARE in their customers’ best interest for there to be some movement in protecting consumer data from compromise. Well… while I am wishing I better put in a wish for something really good as well it is just about as likely to happen as any coordinated effort to really secure a corporate environment.

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.