Malware on POS

I was reading an article about a retailer having a data breach due to malware running on their POS machine. I have what is probably a dumb question but I'll ask anyway. How does malware get installed on a POS machine? I have limited experience in the retail space, but I have done a few consulting gigs. From what I've seen, the POS systems were running an embedded version of Windows XP, which I know is no longer supported and could easily be a vulnerability. My confusion is how malware would get installed to begin with. I wouldnt think these POS machines would need internet access.

Find more posts tagged with

Comments

SteveLavoie

Embedded does not mean non-vulnerable

usually they are the last thing that are updated in a network.

Also while they perhaprs dont have internet access, they are usually connected to an internal network, they can became infected after a first breach.

Finally, I have also seen a guest wifi that is plugged in the same network as the POS..

NotHackingYou

Lets see, a couple options.

They are frequently on a network. Maybe another PC on that or an adjacent network has internet access.

Maybe a port (USB) is open on the device and an attacker can sneak a USB in during a transaction.

Maybe an employee or someone with access is paid to insert a disk or USB.
Pose as an IT or service person and insert a disk/USB

I'm sure folks will chime in with other ways.

mnashe

SteveLavoie wrote: »

Embedded does not mean non-vulnerable usually they are the last thing that are updated in a network.

Also while they perhaprs dont have internet access, they are usually connected to an internal network, they can became infected after a first breach.

Finally, I have also seen a guest wifi that is plugged in the same network as the POS..

Yes, absolutely vulnerable. That's exactly what I was wondering. If its because say a desktop or another device got infected and since they share the same LAN (without segmentation), they then get infected.

cyberguypr

Good, easy to digest report on this topic: https://www.symantec.com/content/dam/symantec/docs/white-papers/attacks-on-point-of-sale-systems-en.pdf

gespenstern

Here how it's happened with Target Corp. They compromised some third party vendor, used their credentials to get inside Target's Microsoft network, which turned out to be flat, identified PoS machines, obtained an account with admin rights on all PoS (running XP) and installed their malware as a windows service on pretty much all points.

mnashe

Great replies. Exactly what I was looking for. Thanks @NotHackingYou, @cyberguypr, @gespenstern and @SteveLavoie

mnashe

Had some more thoughts/questions on this. Is it best practice to prevent these POS machines from accessing the internet, other than for necessary reasons like ms-updates?

Is it also best practice to disable USB ports for Flash drives? Most of the POS machines I've seen (not many), are not AD Joined, so GPOs are not an option

Moldygr33nb3an

POS' can be connected to the internet, or the same network of other devices that are connected to the internet. Back when I worked at Circuit City, our POS' were connected to the internet running WinXP. Literally a few months ago, I was working with our internal subway store and they were using WinXP and it was connected to the internet. I told them they needed to upgrade otherwise they were going to (if they hadn't) get steam rolled. They upgrade a few days later

TechGromit

mnashe wrote: »

I was reading an article about a retailer having a data breach due to malware running on their POS machine.

POS Machine? Or POS system? The cash registers usually connects back to a server that runs Microsoft server software. The Touch screen IBM POS sale terminals I have experience didn't have Hard Drives, but did run an operating system that you could run some updates against. While you would think comprising the Server would be ideal, the POS registers don't have Anti-Virus software, so a compromised POS terminal would escape detection for quite some time.

mnashe

TechGromit wrote: »

POS Machine? Or POS system? The cash registers usually connects back to a server that runs Microsoft server software. The Touch screen IBM POS sale terminals I have experience didn't have Hard Drives, but did run an operating system that you could run some updates against. While you would think comprising the Server would be ideal, the POS registers don't have Anti-Virus software, so a compromised POS terminal would escape detection for quite some time.

I'm sorry, when I say POS, I'm referring to the POS registers systems that are in the stores. The ones I've seen run like windows xp embedded. I'm pretty sure they had hard drives. I've even seen in one place where they had two registers, one of which acted as the "server"

I don't get why they don't run AV.

TechGromit

The location I worked at had 45 touch screen registers all in different restaurant locations in the same building, two in the coffee shop, 5 in the beach bar, four in the steak house, etc. The reason they didn't have Hard Drives, was they had embedded XP Operating system on something like a flash card. Originally they networked back to a pair of 386 servers, I had a faster computer at home than work had running the companies POS system. Eventually they upgraded to much faster servers, over the course 15 years, better than what I had at home. The servers of course ran Anti-Virus software, but the registers never did.

Pseudonym

POS systems can have email clients on them, so store staff can contact area managers with figures etc. Don't be surprised if they support legacy software that has weak authentication methods for remote access too. (For polling etc)

mnashe

I think I'm just confused on how there is a lack of protection on these devices. Whether they run Windows on a hard drive, or windows embedded, it's still an OS. Why would there not be AV installed on them?

Also, why should they have internet access, if there is no need? Isn't that asking for trouble

Pseudonym

I've literally just given 2 use cases for internet access.

Edit: Also, Antiviruses are nowhere near a guarantee that malware won't get through.

mnashe

Pseudonym wrote: »

I've literally just given 2 use cases for internet access.

Edit: Also, Antiviruses are nowhere near a guarantee that malware won't get through.

I saw you mentioned email. If the email server is internal, that doesn't require internet access. If it's office 365, it's easy enough to allow that traffic and restrict the rest. Not sure what your second use case was

AV isn't a guarantee, correct, but I would think it shouldn't be disregarded altogether.

It seems these systems are a real weakness

Pseudonym

Even if you only email traffic through the firewall, malicious files can still end up on the machine via email.

mnashe

Pseudonym wrote: »

Even if you only email traffic through the firewall, malicious files can still end up on the machine via email.

I think you're missing my point, but it's okay. I appreciate the responses

Pseudonym

No, I think you're missing my point.