48% of retailers have been breached; POS weakest link

With 48 percent of U.S. retailers having suffered cyberbreaches, the point-of-sale system is typically the Achilles Heel of security.

ISheriff's new study, "Point of Sale = Point of Entry," compared publicly disclosed breach data from the 250 top global retailers as identified by the National Retail Federation. The study found that 50 percent of the top 10 had been breached, as well as 45 percent of the top 20 and 38 percent of the top 50.

There were 35 million POS terminals around the world in 2014, typically shipping with little or no security protection, and there will be 7.7 million mobile POS devices in the U.S. by 2020, iSherrif reported, citing data from Research and Markets.

"Cybercriminals and payment card data are like dogs and bacon, they just can't get enough," said Paul Lipman, iSheriff's CEO, in a statement. "With POS devices now handling most of the payment card transactions around the world for retailers, restaurants, hotels and grocers, these systems are in the cross-hairs."

Compromised POS systems were the source of major data breaches at Target, Neiman Marcus, Subway and many others, and there are no signs the security risks are slowing down. "Hackers know that POS devices are vulnerable, and have developed POS-specific attacks to scrape and exfiltrate payment card information. The problem is only getting worse each day," Lipman told FierceRetailIT.

POS devices are susceptible to security threats and vulnerabilities similar to a PC or server, but also face additional threats unique to the use and design of POS systems. "Given the mission critical role of POS devices, retailers must secure them to the same extent that they secure their servers and PCs," he said.

The report cites three primary security vulnerabilities:

Operating system vulnerability. Like other computers, POS devices run an operating system, like Windows or Linux, which is susceptible to compromise. More importantly, POS systems often run older operating systems—such as Windows XP—that have less frequent updates and patches, leaving them more vulnerable to attack.

POS-specific malware vulnerability. POS-specific malware is widely available and can be installed through a traditional network vulnerability. The malware targeting POS that appears most often is Dexter at 26 percent, followed by Alina at 9 percent; Poseidon at 7 percent; Jackpos at 3 percent; and Newpost at 3 percent. More than half–52 percent–were identified as "others."

                               Bar graph courtesy of iSheriff

Data transmission vulnerability. Payment data is eventually transmitted securely between merchant and bank in compliance with PCI standards. This information is first processed through the POS device, where it is susceptible to interception before being safely encrypted. Cybercriminals go after this opportunity just after a card is swiped to steal data.

Despite the recent focus on POS security, the volume of cyberbreaches has grown because of the increasingly networked nature of retailers' businesses, Lipman said. The interconnection between POS devices, retailers' corporate and partner networks, and the public internet provides cybercriminals with access points through which they can easily execute attacks. "Many retailers have not taken sufficient steps to secure their POS devices against modern blended cyberthreats," he said.

"Given the mission critical role of POS devices, retailers must secure them to the same extent that they secure their servers and PCs," Lipman said. "Cloud-based security platforms provide the ideal vantage point from which to deliver POS threat discovery, policy enforcement and security visibility and control."

He noted that iSheriff provides such a service, working with a number of POS vendors to deliver real-time control of the POS security posture and visibility into emerging threats and attacks.

For more:
-See this iSheriff press release
-See this iSheriff report

Related stories:
POS crime pays, bad guys get 1,425% ROI
PoSeidon malware dives deep into POS, Cisco warns
New point-of-sale malware GamaPoS spreads across US
Windows Server 2003 support ends, millions of unprotected servers
Windows 10 security features may lead to rapid retail implementation