Paper, Plastic or Compromised Security? The Point-of-Sale Risk in the Internet of Things

BrandPost By Mark Bagley
Jan 15, 20156 mins
Internet of ThingsSecurity

As technology becomes smarter and more intuitive, conveniences like tableside payment kiosks in busy restaurants have become more commonplace, leading to highly personalized (and time-saving) experiences for consumers. This is just one example of how the Internet of Things creates a unique opportunity to improve people’s daily lives.

Unfortunately, developments like these provide malicious actors opportunities to access private payment card data and other highly sensitive information. As was often the case in a recent rash of retail chain breaches, the use of malware to compromise Point of Sales (POS) systems is becoming more popular.

Many national retail chains have made headlines after having their payment systems breached, exposing information pertaining to millions of customers. As reported in the Cisco Midyear Security Report, the Ponemon Institute found that in 2014, the average total cost of an organizational data breach was $5.4 billion, up from $4.5 billion just last year. And it’s not just significant financial costs that are of concern; as many as 508,000 jobs are lost in the US because of malicious online activity.

Video: Cyber Attacks and the Internet of Things

So, why are POS attacks growing increasingly popular? One prevailing reason is that criminals are often operating under the belief that using malware to steal sensitive payment card data from POS systems is more effective than stealing it directly from e-commerce merchants. In general, retailers have not been as diligent in applying similar security measures to their own POS systems and networks as the networks of third party vendors who have access to their systems. By understanding the three trends that lead to this belief, retailers and third-party vendor partners can implement strategies that keep them ahead of the malicious actors and protect their customers’ information.

Larger, Internet-Enabled Attack Surface

Retailers are constantly looking for ways to surpass their competition, and connecting with consumers is critical. In-store kiosks, mobile apps and even free guest Wi-Fi are all used to bring customers in and keep them digitally connected with their stores of choice. Many of these devices and in-store systems are connected to the Internet and to the same network as the in-store POS systems. While this makes for faster transactions, new sales opportunities and richer experiences for customers and employees, it also creates more vulnerable entries to corporate networks.

As the Internet of Things evolves, the retail landscape will continue to experience attacks as we move beyond the traditional POS register. Handheld devices for checkouts, movie-ticket machines and any other device connected to a corporate network are just a few examples. Attackers are keenly aware of these vulnerabilities and work to exploit them in order to steal credit card payment and other sensitive consumer data.

Lack of Understanding

Surprisingly, retailers often don’t understand just how serious a job protecting payment card information is. This is reflected in certain cases by dedicating fewer security resources to protecting payment systems as they’ve been placed in isolated parts of the network.

After reviewing a sample of networks, Cisco was able to detect connections to domains that are known malware sites on one hundred percent of these networks. This fact underscores that vigilance is required by retailers to protect customer payment information. The vital first step is protecting processed card information at rest, but this is futile if attention is not paid to malware control and malicious activity detection on these networks.

The Role of Third Party Vendors

Third party vendors are heavily used within the retail industry for a variety of services, including data storage, payment processing, and even the management of physical plant functions like heating and cooling in the retailer’s brick-and-mortar stores. Because these third-party vendors often have access to the networks of the retailers they service, they can increase the risk of a breach occurring, especially when third-party vendors provide support for POS solutions.

Email phishing is one of the ways third party vendors are hacked in order to gain access to retailers’ networks. Episodes like these emphasize the importance of choosing third-party vendors who apply rigorous security measures to their own networks. It’s important to find vendors who meet or exceed the standards that the retailer would have for its own networks. The third-party vendor’s staff, once breached, can unknowingly find themselves acting as the third parties who introduce malware to retail POS systems; all it takes is an innocent employee opening an email, unaware of a phishing scam, that is the first step in compromising a network. CIOs and security leaders should evaluate all entry points to network access and work to secure these.

After numerous POS security hacks making news and exposing customer information, retailers should consider how the POS system has evolved and evaluate how security measures to protect these systems should also change. Breaches no longer occur exclusively at the POS register; networks are the pathway for attackers to infiltrate and reach POS systems. With the expanded attack surface I spoke of earlier, simply introducing new retail-oriented devices in a store can increase the risk of POS network compromise.

To combat these trends and their potentially devastating effects to a retailer, organizations with POS systems should rightfully assume that malware is present – and the risk to their brand’s reputation is directly tied to preventing malware from exfiltrating, or removing that valuable customer information from their network. Protecting customer information boils down to diligence, putting more resources into protecting customer data, partnering with third-party vendors to create a protected network, understanding where customer information is stored and who has access to it. As consumers gain confidence that their information is protected, CIOs have a unique opportunity to influence and protect brand reputation, adding value to their roles while increasing the significance of the work their departments perform.

It’s unlikely that hackers will reduce their usage of malware to gather and steal sensitive payment card data, but a bit of offense can help reduce the risks to retailers and their customers as well.

Sign-up to receive the Cisco Annual and Midyear Security Reports and receive research updates for added insights into the attack landscape and steps to secure your organization.