Bank-card-sniffing shop menace Punkey pinned down in US Secret Service investigation Security researchers have identified a new strain of point-of-sale (POS) malware during an investigation led by the US Secret Service. Stolen payment card information and the IP addresses of more than 75 infected sales tills were found by security researchers at Trustwave during the probe. It's unclear how many victims the so- …
This post has been deleted by its author
Indeed, I figured that POS systems should be connected to an air-gapped network, one that only connects between the POS terminals and the stock / financial databases. For the most part, I don't even know why stores need internet access, other than to connect to the main office by way of a VPN / MPLS. If anything, they should have a separate guest network if internet access is absolutely needed (Maybe even on a completely different network, EG consumer grade ISP connection for the guest network and then a proper enterprise-grade provider for the corporate network).
I work where a third party has been hired to handle financial transactions in a cafeteria, they use our internet connection and if it even wavers, we get a call from the manager saying he's losing money because people can't pay in real time... Real time is how the financial sector seems to be working.
I can see the banks are trying to make more money, by spending less in every sector of their bussiness.
Because that's actually the card processors preferred connection for confirming transactions. Remember, each authorization has to be confirmed at the time of sale. That means talking to the issuing company (usually via third party software) to confirm the transaction.
I have an edge case that absolutely depends on using the internet. Convention runs for three days once a year. The convention center doesn't supply phone numbers ahead of time, but you can provision for internet on a T1. System is only up for those three days, then gets put in storage. Given the window, and vendor supplied equipment coming in, it's actually fairly secure, even over the internet. Granted, even at that when I was there we only gave the POS server internet access, not the actual terminals. These days they also run a pre-registration database which does require internet access, so the POS terminals now have direct internet access. Not sure what if any other measures they added to secure the terminals, but I don't run it anymore.
The way that POS systems are managed is via the internet. They leave them connected all the time. They run on a network anyway and that means ALL the registers "face the internet".
These stores could not manage their network security if you paid them.
Why does a POS system need to have a browser installed? Or any software not directly related to running the system?
The browser might be how the POS actually works. Besides, even even ATMs seem to be getting in on the fun.
I am in the middle of building a POS system for an annual non-profit event. For the client side, I am using Raspberry Pis set up as kiosks on a closed network. They will connect to a web server running a database back-end. This will all be on a closed network. This system will not handle credit card transactions as it is more cost effective to use third party kit for that. We will be handling quite a bit of PII, though, so the security concerns for this are not trivial.
At no point will any of the machines involved be allowed on the internet. I might be able to understand the use of a VPN to connect servers at one location to the home office, but cannot get my head around the idea that someone might think allowing the actual POS stations access to the internet would be a good plan.
On a more serious note, there are edge cases such as the one I sited in a reply above. In addition to being a POS terminal, it functions as a web based lookup terminal for something else. Also, depending on the application, the POS terminals phone home the sales numbers for inventory purposes. Yes, it probably would be better done with a dedicated modem line, but that would probably just lead to a different hacking scenario.
But yes, for most instances you shouldn't. The thing is, today a cheap PC with POS software probably costs less than a dedicated POS terminal. So that's what you get. Since the PC comes with the browser, that's just a "bonus".
until someone OTHER THAN the consumer gets a thorough reaming. When a few top execs get publicly humiliated by their (hopefully former) employers and/or said businesses are forced into liquidation to pay for the mess they themselves created, then and ONLY then will they begin to wake up and fix this. If the culprit is an outside contractor/firm, then they should be held financially liable for any and all breaches. Only then will they be truly interested in securing their devices and the transactions thereupon.
/soapbox
Not quite. Needs just a little more venom.
"When a few top execs get publicly humiliated AND HAVE TO FEEL THE FINANCIAL PAIN THEMSELVES and / or..."
The buck has to stop where it hurts the most. Otherwise the same culprits will simply start again...rinse and repeat.
Icon for the guilty, (not UBK)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
