In light of the recent point-of-sale (POS) security breach at Target (News - Alert), a lot of attention is being paid to the security measures currently employed by retailers to protect customer data. Naturally, many are asking how on Earth the information of 40 million credit and debit cards could be exposed and what enterprises are doing to make sure sensitive customer information is being safeguarded.
As it turns out, the data breach was the result of a sophisticated malware attack, affecting a large number of POS systems at physical retail locations. The nefarious piece of software monitored POS platforms for sensitive data, and once detected, covertly transferred the information to an external location. The very nature of the breach made it almost undetectable.
Of course, installing the malware in the first place requires obtaining access to the POS system. This can be done in several ways, but more than likely the cybercriminals were able to acquire the proper login credentials (username/password) for the POS system, though some combination of social engineering, phishing, insider shoulder surfing, or brute force cracking, and deployed the malware through the POS remote desktop connection.
Image via Shutterstock
Unfortunately, accomplishing such a task may not be as difficult as it sounds. Indeed, a recent Fortinet survey revealed that 55 percent of retailers are unaware of their state’s security breach requirements, and 40 percent lack any established policy adhering to those requirements. Moreover, many of these companies were found to be lacking when it came to employing strong security practices, such as policies to enforce password security. You can see how this can readily expose a business to sophisticated data breaches.
As retailers increasingly roll out mobile point-of-sale solutions, it is natural to assume that these vulnerabilities are only exacerbated. MobileIron security expert Michael Raggo, however, insists otherwise. In fact, according to his most recent blog post, a mobile POS system could have prevented such an attack from occurring in the first place.
Raggo explains that a mobile POS architecture actually offers enhanced security benefits, especially when used in conjunction with a mobile device management (MDM) platform. Beyond encrypting credit card data both at rest and in-transit, both Android (News - Alert) and iOS devices come equipped with additional built-in encryption, inherent support for security certificates, strong authentication, and a wide assortment of security lock-down features and APIs. With MDM software installed, the mobile POS becomes inarguably more secure than a traditional POS.
For example, Raggo points to four capabilities of MobileIron’s mobile security solution that could have mitigated such an attack:
- The ability to automatically wipe a device after a configurable number of failed login attempts
- Malicious or risky app detection and administrator alerts though integration with app reputation services
- Automatic quarantining and/or wiping of detected jailbroken or rooted devices
- Standalone Sentry and AppTunnel, which allows only registered devices with the correct permitted applications to access the network
He also points out that MobileIron MDM solutions are able to enforce strong authentication through distribution of client certificates, and can be fully integrated with network access control (NAC) solutions and malware protection systems (MPS).
Taken together, these capabilities make it extremely more difficult for potential intruders to carry out brute force hacking attempts or (should they come to possess the proper credentials by other means) install a malicious app on a mobile POS device.
Raggo believes it is important that the industry learn from the failures of these recent breaches, and use the lessons learned to incorporate better controls into the design and approach of POS systems.
“This should undoubtedly include an automated response to POS attacks to mitigate and remediate issues, rather than allow data to be stolen for extended periods of time,” he writes. “If the POS was infested with malware, having a solution that not only detects the malware but also wipes the credit card data from the device, removes the credit card processing app, or even fully wipes the device will be key. All of these options exist today for mobile-based POS solutions. All POS systems should have this type of approach, and if not, perhaps it's time these retailers move to a mobile-based POS solution to meet not only the demand of their customers, but today's threat landscape.”
Edited by Cassandra Tucker