Malware on POS

mnashemnashe Member Posts: 136 ■■■□□□□□□□
I was reading an article about a retailer having a data breach due to malware running on their POS machine. I have what is probably a dumb question but I'll ask anyway. How does malware get installed on a POS machine? I have limited experience in the retail space, but I have done a few consulting gigs. From what I've seen, the POS systems were running an embedded version of Windows XP, which I know is no longer supported and could easily be a vulnerability. My confusion is how malware would get installed to begin with. I wouldnt think these POS machines would need internet access.

Comments

  • SteveLavoieSteveLavoie Member Posts: 1,133 ■■■■■■■■■□
    Embedded does not mean non-vulnerable :) usually they are the last thing that are updated in a network.

    Also while they perhaprs dont have internet access, they are usually connected to an internal network, they can became infected after a first breach.

    Finally, I have also seen a guest wifi that is plugged in the same network as the POS..
  • NotHackingYouNotHackingYou Member Posts: 1,460 ■■■■■■■■□□
    Lets see, a couple options.
    • They are frequently on a network. Maybe another PC on that or an adjacent network has internet access.
    • Maybe a port (USB) is open on the device and an attacker can sneak a USB in during a transaction.
    • Maybe an employee or someone with access is paid to insert a disk or USB.
    • Pose as an IT or service person and insert a disk/USB
    I'm sure folks will chime in with other ways.
    When you go the extra mile, there's no traffic.
  • mnashemnashe Member Posts: 136 ■■■□□□□□□□
    Embedded does not mean non-vulnerable :) usually they are the last thing that are updated in a network.

    Also while they perhaprs dont have internet access, they are usually connected to an internal network, they can became infected after a first breach.

    Finally, I have also seen a guest wifi that is plugged in the same network as the POS..

    Yes, absolutely vulnerable. That's exactly what I was wondering. If its because say a desktop or another device got infected and since they share the same LAN (without segmentation), they then get infected.
  • gespensterngespenstern Member Posts: 1,243 ■■■■■■■■□□
    Here how it's happened with Target Corp. They compromised some third party vendor, used their credentials to get inside Target's Microsoft network, which turned out to be flat, identified PoS machines, obtained an account with admin rights on all PoS (running XP) and installed their malware as a windows service on pretty much all points.
  • mnashemnashe Member Posts: 136 ■■■□□□□□□□
    Great replies. Exactly what I was looking for. Thanks @NotHackingYou, @cyberguypr, @gespenstern and @SteveLavoie
  • mnashemnashe Member Posts: 136 ■■■□□□□□□□
    Had some more thoughts/questions on this. Is it best practice to prevent these POS machines from accessing the internet, other than for necessary reasons like ms-updates?

    Is it also best practice to disable USB ports for Flash drives? Most of the POS machines I've seen (not many), are not AD Joined, so GPOs are not an option
  • Moldygr33nb3anMoldygr33nb3an Member Posts: 241
    POS' can be connected to the internet, or the same network of other devices that are connected to the internet. Back when I worked at Circuit City, our POS' were connected to the internet running WinXP. Literally a few months ago, I was working with our internal subway store and they were using WinXP and it was connected to the internet. I told them they needed to upgrade otherwise they were going to (if they hadn't) get steam rolled. They upgrade a few days later
    Current: OSCP

    Next: CCNP (R&S and Sec)

    Follow my OSCP Thread!
  • TechGromitTechGromit Member Posts: 2,156 ■■■■■■■■■□
    mnashe wrote: »
    I was reading an article about a retailer having a data breach due to malware running on their POS machine.


    POS Machine? Or POS system? The cash registers usually connects back to a server that runs Microsoft server software. The Touch screen IBM POS sale terminals I have experience didn't have Hard Drives, but did run an operating system that you could run some updates against. While you would think comprising the Server would be ideal, the POS registers don't have Anti-Virus software, so a compromised POS terminal would escape detection for quite some time.
    Still searching for the corner in a round room.
  • mnashemnashe Member Posts: 136 ■■■□□□□□□□
    TechGromit wrote: »
    POS Machine? Or POS system? The cash registers usually connects back to a server that runs Microsoft server software. The Touch screen IBM POS sale terminals I have experience didn't have Hard Drives, but did run an operating system that you could run some updates against. While you would think comprising the Server would be ideal, the POS registers don't have Anti-Virus software, so a compromised POS terminal would escape detection for quite some time.

    I'm sorry, when I say POS, I'm referring to the POS registers systems that are in the stores. The ones I've seen run like windows xp embedded. I'm pretty sure they had hard drives. I've even seen in one place where they had two registers, one of which acted as the "server"

    I don't get why they don't run AV.
  • TechGromitTechGromit Member Posts: 2,156 ■■■■■■■■■□
    The location I worked at had 45 touch screen registers all in different restaurant locations in the same building, two in the coffee shop, 5 in the beach bar, four in the steak house, etc. The reason they didn't have Hard Drives, was they had embedded XP Operating system on something like a flash card. Originally they networked back to a pair of 386 servers, I had a faster computer at home than work had running the companies POS system. Eventually they upgraded to much faster servers, over the course 15 years, better than what I had at home. The servers of course ran Anti-Virus software, but the registers never did.
    Still searching for the corner in a round room.
  • PseudonymPseudonym Member Posts: 341 ■■■■□□□□□□
    POS systems can have email clients on them, so store staff can contact area managers with figures etc. Don't be surprised if they support legacy software that has weak authentication methods for remote access too. (For polling etc)
    Certifications - A+, Net+, Sec+, Linux+, ITIL v3, MCITP:EDST/EDA, CCNA R&S/Cyber Ops, MCSA:2008/2012, MCSE:CP&I, RHCSA
    Working on - RHCE
  • mnashemnashe Member Posts: 136 ■■■□□□□□□□
    I think I'm just confused on how there is a lack of protection on these devices. Whether they run Windows on a hard drive, or windows embedded, it's still an OS. Why would there not be AV installed on them?

    Also, why should they have internet access, if there is no need? Isn't that asking for trouble
  • PseudonymPseudonym Member Posts: 341 ■■■■□□□□□□
    I've literally just given 2 use cases for internet access.

    Edit: Also, Antiviruses are nowhere near a guarantee that malware won't get through.
    Certifications - A+, Net+, Sec+, Linux+, ITIL v3, MCITP:EDST/EDA, CCNA R&S/Cyber Ops, MCSA:2008/2012, MCSE:CP&I, RHCSA
    Working on - RHCE
  • mnashemnashe Member Posts: 136 ■■■□□□□□□□
    Pseudonym wrote: »
    I've literally just given 2 use cases for internet access.

    Edit: Also, Antiviruses are nowhere near a guarantee that malware won't get through.

    I saw you mentioned email. If the email server is internal, that doesn't require internet access. If it's office 365, it's easy enough to allow that traffic and restrict the rest. Not sure what your second use case was

    AV isn't a guarantee, correct, but I would think it shouldn't be disregarded altogether.

    It seems these systems are a real weakness
  • PseudonymPseudonym Member Posts: 341 ■■■■□□□□□□
    Even if you only email traffic through the firewall, malicious files can still end up on the machine via email.
    Certifications - A+, Net+, Sec+, Linux+, ITIL v3, MCITP:EDST/EDA, CCNA R&S/Cyber Ops, MCSA:2008/2012, MCSE:CP&I, RHCSA
    Working on - RHCE
  • mnashemnashe Member Posts: 136 ■■■□□□□□□□
    Pseudonym wrote: »
    Even if you only email traffic through the firewall, malicious files can still end up on the machine via email.

    I think you're missing my point, but it's okay. I appreciate the responses
  • PseudonymPseudonym Member Posts: 341 ■■■■□□□□□□
    No, I think you're missing my point. :)
    Certifications - A+, Net+, Sec+, Linux+, ITIL v3, MCITP:EDST/EDA, CCNA R&S/Cyber Ops, MCSA:2008/2012, MCSE:CP&I, RHCSA
    Working on - RHCE
Sign In or Register to comment.