POS Security: Are my POS terminal credentials up for sale?

There is a black market for stolen credit card information: you can shop online for credit card data for prices between 20$ and 100$ per item. Underground websites like Silk Road (today Silk Road 2.0) offer the possibility to acquire this information anonymously (via The Onion Router anonymity network). The value of credit card details decreases over time, as there is an increase in chance that original cardholders cancel out their compromised credit cards. Hence, in the aftermath of major data breaches, hackers rush to sell off, while criminals rush to buy and use as quickly as possible.

In order to have a constant source of new credit card information that can be sold, groups of hackers focus on stealing POS credentials. With a set of POS credentials at hand, their “shop” never runs out of “merchandise” and they can benefit from long periods of credit card data validity, as compromised POS credentials are usually discovered late, and media exposure of such incidents is lower than the media exposure of major data breaches.

Hence, there is a black market for POS credentials as well, where more skilled hackers, who focus on the actual hacking and penetration, sell off to hackers focusing on developing the tools that steal the actual credit card data, and also have the means to sell such information further.

Who are the victims of POS credentials theft?

“Retailers are often prime targets for criminal groups exploiting weak, guessable, or default credentials via third-party remote access services to POS systems.” says Verizon in their data breach investigation report for retail traders. The vast majority of compromised retailers are the ones in the 10-100 employees range, because they constitute a “soft target”, having little or no IT and security expertise in house, and usually relying on third parties to provide IT services.

How are POS credentials stolen?

According to Verizon, physical tampering is the most popular way to steal POS credentials, with an incidence rate of 48%, followed by exploitation of default settings and weak passwords with a rate of 31%.  Brute force attacks come third, followed by backdoors (and their exploitation), SQL injection and malware infections.

Physical tampering implies that the attackers get physical access to the POS terminal either by social engineering or with the help of accomplices.

Hacking by use of default settings and weak passwords has a high incidence rate and is easier to accomplish. For example, in the case of the data breach at “Target” – an important retailer in the US – attackers gained access through default credentials used for performing routine maintenance jobs on the device. They then installed a specially designed, sophisticated malware that hooks onto areas in memory to extract information about the credit cards being used, and then uploads the information to the attacker. As a result, 40 million credit cards were compromised together with personal data of 70 million customers.

Taking a closer look at the malware will help us understand the importance of POS credentials being available to the attacker.

Allegedly, the malware used in this case is BlackPos, and it works by installing a service onto the POS system that in turn installs software able to locate and access the memory space being used by the legitimate POS software that handles credit card transactions. Once deployed, the payload would extract relevant information, save it on the disk and attempt to upload it to a remote system via FTP or other available protocols.

Most of the stages described above require administrative credentials to be used: Installing a service (via PSExec), hooking onto system processes in order to access their memory space and saving stolen credit card information in system files. Hence, attackers already had valid POS administrative credentials to orchestrate the attack, and without them, the attack would not have been successful: BlackPos can be deployed by other means, like exploiting vulnerabilities or social engineering, but the chances that the package runs under administrative credentials are quite low in these cases, greatly reducing the likelihood of success.

What should retailers do to prevent POS credentials from being stolen?

Retailers should use appropriate security controls for mitigating the risk of attacks targeting POS systems, in compliance with industry standards and regulations (Such as PCI DSS). Among other measures, security standards (like PCI DSS) imply:

• Changing the default passwords and use of adequate password policies (PCI DSS Requirement 2);
• Periodic penetration testing to assess the strength of the existing passwords (PCI DSS Requirement 11);
• Monitoring the POS related network traffic (PCI DSS Requirement 10);
• Maintaining secure systems and applications (PCI DSS requirement 6)
• Network vulnerability scanners, such as Acunetix OVS help automating the security controls above by delivering functionality to:

1. Scan for, and detect, weak and default passwords: Most of the testing procedures suggested by PCI DSS for requirement 2 can be automated with Acunetix OVS. In our example above, if Target had had such a solution, the attackers would have failed to steal POS credentials and initiate the attack.
2. Run internal vulnerability scans, including penetration testing and simulated dictionary attacks aimed at identifying weak passwords and other vulnerabilities – as required by PCI DSS 11.2.1
3. Run network scans in order to detect open ports that can be used as a backdoor to install and manage the malware – as required by PCI DSS 10. In our example above, Acunetix OVS would have blown the whistle on the fact that the POS system’s interface was available externally. This could have potentially eliminated the attack altogether.
4. Run vulnerability scans to identify vulnerable applications manipulating cardholder information as required by PCI DSS 6.5, particularly for OWASP and SANS CVE vulnerabilities, including SQL injection (PCI 6.5.1), Cross-Site Scripting (PCI 6.5.7), CSRF (PCI 6.5.9) , etc.

Network and web vulnerability scanners help in keeping the POS systems secure and constitute essential tools for complying with security standards like PCI DSS particularly when it comes to periodic risk assessment and mitigation.