4 Tips to Guard Against Retail Point-of-Sale Malware

The scourge that regularly seems to afflict retailers is back: point-of-sale malware.

Earlier this month, RMH Franchise Holdings, the second largest Applebee’s restaurant franchisee, disclosed that it had suffered a POS data breach. As Bank Info Security reports, the company “warned that of the 167 Applebee’s restaurants it owns and operates, 166 of them suffered a data breach in which point-of-sale systems were infected with malware designed to capture payment cards for anyone who dined at the restaurants.”

The threat of POS malware does not seem to be going away, given that retailers still seem as susceptible to attacks as they were last year. However, there are clear, practical steps retailers can take to enhance their POS security and protect customers’ data.

A recent study by RIS News, sponsored by HP, offers some concrete advice on how to protect POS terminals and critical data. The report notes that “retailers’ efforts to create seamless omnichannel shopping experiences by making customer data easily accessible across channels” adds to the vulnerabilities they face, especially because POS terminals may handle personally identifiable information as well as credit card data.

“Retailers know a process-based, multilayered security plan is the best defense against malicious attacks and even accidental exposure of data,” the report says. “But many are overlooking or neglecting basic block-and-tackle moves. Some of these sit available but unused on their current enterprise-grade POS setups, while others are part of cutting-edge solutions.”

Here are some steps the report recommends retailers can take to bolster their POS defenses:

SIGN UP: Get more news from the BizTech newsletter in your inbox every two weeks!

1. Protect the Physical POS Terminal

It may seem obvious, but retailers need to take steps to physically protect the terminals they use in their stores.

Some strategies the report recommends include physically attaching a device or stand directly to the counter, which prevents the entire device from being stolen and hinders tampering.

Another measure to consider is Kensington locks, which “physically tether any device to a secure connection via a port lock, preventing devices from being removed or replaced with a substitute” the RIS News report notes. Retailers also need a secure process to manage keys to allow changes and servicing.

Retailers can work with utilities and technology partners to create a Wi-Fi- or GPS-based digital perimeter around a store and automatically disable a POS terminal if it’s taken outside that area.

Retailers should also consider using port protection measures since most POS terminals have USB ports or some other port type. Malicious actors can use these ports to insert malicious code to steal data or credentials. The report adds that retailers “often neglect to make use of Windows Active Directory as well as utilities provided by some POS companies to set rules for powering ports.”

Utilities can keep the port powered off permanently or until an authorized device is plugged in, the report notes. Further, whitelisting rules can be set so that the terminal functions only if a signed, trusted and approved application is attempting to operate on the POS.

2. Secure POS Identity Access

While retailers train employees to prevent unauthorized access to secure systems and POS terminals, this is not foolproof. Indeed, 85 percent of IT professionals say the weakest link in security is end users failing to follow policies and procedures, according to a January 2017 Vanson Bourne study cited by RIS News.

Hackers take advantage of these gaps. For example, PoSeidon malware, which has been widely used to attack POS systems, includes a memory scraper with a keylogger that can gather operator credentials on the infected system and automatically transmit them to the attacker, the report notes.

Retailers must balance secure processes with ease of use to ensure high staff compliance. Technology can help in this regard.

For example, near-field communications retailers can be used along with a card, key or smartphone with NFC capability to authenticate users.

Additionally, enterprise versions of Microsoft’s Windows platform offer a credential guard utility to allow retailers to isolate and harden key systems and user secrets against compromise. “This helps minimize the impact and breadth of a pass-the-hash-style attack in the event that malicious code is already running via a local or network-based vector,” the RIS News report notes.

3. Consider Biometrics Security Measures for POS

Another authentication measure retailers should consider investing in is biometrics security.

IDC recommends that organizations support biometric authorization to reduce fraud costs across their systems, and the research firm expects the security measure to become widespread. IDC predicts that by 2021, half of online transactions will use biometric authentication, enabled by broad user acceptance, ubiquitous technology infrastructure and low implementation costs.

Brad Tracy, global retail segment manager at HP, notes in the RIS News report that poor password management is a major source of breaches, and that bad habits like using the default login, sharing passwords, stealing credentials from another employee and never changing passwords all make POS devices vulnerable.

Tracy notes that biometrics, which can be combined with a username and/or password for two-factor authentication, provide “much stronger security to ensure that the person who is attempting entry into the system is really the one authorized to do so.”

Fingerprint readers are among the most popular biometric authentication tools. Tracy touted the HP ElitePOS for its optional fingerprint reader, which supports secure login to ensure only authorized users gain access to the POS. Such a system can prevent password stealing, block employees from clocking in coworkers who haven’t yet arrived at work and prevent employees from accessing information only a manager should see.

4. Ensure that Customer Data Is Protected

All of these measures will be for naught if retailers don’t also protect customer data and guard against efforts to siphon off data remotely. According to Trustwave’s “2017 Global Security Report,” 62 percent of intrusions affecting POS environments involve malicious remote access.

Retailers have numerous tools at their disposal to protect POS data. One is magnetic stripe reader encryption.

Most MSR readers send data into the POS terminal, where it is briefly visible, and therefore vulnerable to theft. However, if MSR data is encrypted before it travels, it is rendered much safer.

Retailers can also use application whitelisting to prevent unauthorized apps from loading on POS terminals and can block the POS system from running malicious code.

Another place to use data protection is in BIOS security, since, the RIS News report notes, “hackers know if they can get to the POS system’s BIOS, which boots up the operating system, they can bypass a lot of the security measures that run at a higher layer.”

More than half of the cybersecurity professionals surveyed by ISACA reported incidents of malware-infected firmware in 2016. “Many retailers neglect to make use of the BIOS security tools offered by some POS providers, such as pre-boot authentication and administrator-implemented BIOS management controls,” the RIS News report says. “Other useful tools include self-healing BIOS security, near real-time monitoring, rule-based automatic recovery and management of ‘gold master’ reimaging.”

That last approach creates a master copy of the BIOS that is directly encrypted on the POS device. Then, if an attacker tries to hack the BIOS, the machine will reboot itself, load the secure gold master, wipe the infected file, and alert the retailer’s IT team to the attack, according to the RIS News report.

Enhancing BIOS security also strengthens downstream hardware security measures such as Trusted Platform Module — a dedicated industry-standard, secure crypto-processor located on the motherboard — as well as credential guard and drive encryption.