Point of Sale Hacking – a Growing Threat to Business Continuity?

The data breach at the Target Corp, the US supermarket chain, was a shock for many. The personal information of at least 70 million customers was stolen by hackers who intercepted the information as buyers used credit and debit cards at the company’s points of sale. The reputational damage seems to have quickly spilled over into an impact on the bottom line: Target cut its profit forecasts for the fourth quarter of 2013 by about 20 percent. However, this high profile case (third biggest US retailer) may just be a taste of the problems in line for other enterprises using the same kind of point of sale (PoS) systems.

There are a number of possible business continuity issues with such credit and debit card-reading equipment. Firstly, many of them use the Microsoft Windows operating system, which naturally leaves them potentially vulnerable to Windows security threats. Secondly, regulations may put limits on how much such a system can be changed (patched) before it has to be submitted for complete re-approval. And thirdly, given the mission importance of such equipment, companies using them may be wary about installing any patches for fear of breaking a system that was working before.

Cyber criminals steal customer data (names, addresses and credit card numbers) using hardware add-ons, malware, or both. They can also create ‘botnets’ of infected devices for simultaneous control of all of them. Other techniques include substituting wireless point of sale (PoS) card readers with a lookalike model that sends all the card data to the hacker’s wireless network. Security remedies are still evolving, but current suggestions are: keep PoS system software up to date; ensure capability to monitor data integrity and detect network intrusion; and update firewalls to reject traffic from domains known to be associated with PoS malware.