back to article Bank-card-sniffing shop menace Punkey pinned down in US Secret Service investigation

Security researchers have identified a new strain of point-of-sale (POS) malware during an investigation led by the US Secret Service. Stolen payment card information and the IP addresses of more than 75 infected sales tills were found by security researchers at Trustwave during the probe. It's unclear how many victims the so- …

  1. This post has been deleted by its author

    1. Crazy Operations Guy Silver badge

      Indeed, I figured that POS systems should be connected to an air-gapped network, one that only connects between the POS terminals and the stock / financial databases. For the most part, I don't even know why stores need internet access, other than to connect to the main office by way of a VPN / MPLS. If anything, they should have a separate guest network if internet access is absolutely needed (Maybe even on a completely different network, EG consumer grade ISP connection for the guest network and then a proper enterprise-grade provider for the corporate network).

      1. chivo243 Silver badge

        I work where a third party has been hired to handle financial transactions in a cafeteria, they use our internet connection and if it even wavers, we get a call from the manager saying he's losing money because people can't pay in real time... Real time is how the financial sector seems to be working.

        I can see the banks are trying to make more money, by spending less in every sector of their bussiness.

      2. PNGuinn
        Flame

        @ Crazy Ops guy

        What you just posted is banally, utterly obvious. Even a blithering idiot somewhere south of a polital varmit would understand it.

        It'll never happen. Unless those responsible get landed with the costs and pain they afflict on the rest of us.

        Upvoted.

      3. Anonymous Coward
        Anonymous Coward

        connected to the internet?

        well, they do need to validate your card at time of purchase. would you prefer they had a database of every card in the world in an 'offline' system for lookup?

      4. Tom 13

        Why internet for card processing

        Because that's actually the card processors preferred connection for confirming transactions. Remember, each authorization has to be confirmed at the time of sale. That means talking to the issuing company (usually via third party software) to confirm the transaction.

        I have an edge case that absolutely depends on using the internet. Convention runs for three days once a year. The convention center doesn't supply phone numbers ahead of time, but you can provision for internet on a T1. System is only up for those three days, then gets put in storage. Given the window, and vendor supplied equipment coming in, it's actually fairly secure, even over the internet. Granted, even at that when I was there we only gave the POS server internet access, not the actual terminals. These days they also run a pre-registration database which does require internet access, so the POS terminals now have direct internet access. Not sure what if any other measures they added to secure the terminals, but I don't run it anymore.

    2. Dan Paul

      Stores are way too cheap to provide security and onsite management

      The way that POS systems are managed is via the internet. They leave them connected all the time. They run on a network anyway and that means ALL the registers "face the internet".

      These stores could not manage their network security if you paid them.

  2. Christoph Silver badge

    "cashiers using the POS system to browse malicious websites or open phishing emails"

    Why does a POS system need to have a browser installed? Or any software not directly related to running the system?

    1. Robert Helpmann?? Silver badge
      Childcatcher

      When is a POS a POS?

      Why does a POS system need to have a browser installed? Or any software not directly related to running the system?

      The browser might be how the POS actually works. Besides, even even ATMs seem to be getting in on the fun.

      I am in the middle of building a POS system for an annual non-profit event. For the client side, I am using Raspberry Pis set up as kiosks on a closed network. They will connect to a web server running a database back-end. This will all be on a closed network. This system will not handle credit card transactions as it is more cost effective to use third party kit for that. We will be handling quite a bit of PII, though, so the security concerns for this are not trivial.

      At no point will any of the machines involved be allowed on the internet. I might be able to understand the use of a VPN to connect servers at one location to the home office, but cannot get my head around the idea that someone might think allowing the actual POS stations access to the internet would be a good plan.

    2. Tom 13
      Devil

      @Christoph

      Haven't you heard? IE is an integral part of the OS on Windows. You can put a different chrome on it, but you cannot pull the innards without breaking the system.

      Or so Microsoft claimed in court, and now they're stuck with it.

    3. Tom 13

      @Christoph

      On a more serious note, there are edge cases such as the one I sited in a reply above. In addition to being a POS terminal, it functions as a web based lookup terminal for something else. Also, depending on the application, the POS terminals phone home the sales numbers for inventory purposes. Yes, it probably would be better done with a dedicated modem line, but that would probably just lead to a different hacking scenario.

      But yes, for most instances you shouldn't. The thing is, today a cheap PC with POS software probably costs less than a dedicated POS terminal. So that's what you get. Since the PC comes with the browser, that's just a "bonus".

  3. Ugotta B. Kiddingme Silver badge

    this will never change

    until someone OTHER THAN the consumer gets a thorough reaming. When a few top execs get publicly humiliated by their (hopefully former) employers and/or said businesses are forced into liquidation to pay for the mess they themselves created, then and ONLY then will they begin to wake up and fix this. If the culprit is an outside contractor/firm, then they should be held financially liable for any and all breaches. Only then will they be truly interested in securing their devices and the transactions thereupon.

    /soapbox

    1. PNGuinn
      Mushroom

      Re: this will never change @Ugotta B. Kiddingme

      Not quite. Needs just a little more venom.

      "When a few top execs get publicly humiliated AND HAVE TO FEEL THE FINANCIAL PAIN THEMSELVES and / or..."

      The buck has to stop where it hurts the most. Otherwise the same culprits will simply start again...rinse and repeat.

      Icon for the guilty, (not UBK)

      1. Ugotta B. Kiddingme Silver badge

        Re: this will never change @Ugotta B. Kiddingme

        agree. And I thought I had implied that. Thanks for clarifying.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020