Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Spam Crime Security

Attackers Use Email Spam To Infect Point-of-Sale Terminals 85

jfruh writes: Point-of-sale software has meant that in many cases where once you'd have seen a cash register, you now see a general-purpose PC running point-of-sale (PoS) software. Unfortunately, those PCs have all the usual vulnerabilities, and when you run software on it that processes credit card payments, they become a tempting target for hackers. One of the latest attacks on PoS software comes in the form of malicious Word macros downloaded from spam emails.
This discussion has been archived. No new comments can be posted.

Attackers Use Email Spam To Infect Point-of-Sale Terminals

Comments Filter:
  • E-mail client? (Score:5, Insightful)

    by Todd Knarr ( 15451 ) on Tuesday May 26, 2015 @02:16AM (#49773093) Homepage

    So, WTF is an e-mail client doing on a POS terminal in the first place? It doesn't need one, it shouldn't have one. Ditto a Web browser. You don't have to worry about vulnerabilities in software that isn't present on the machine in the first place. There are of course other things to be looked at, but those are a good starting point.

    • Re:E-mail client? (Score:5, Insightful)

      by sydbarrett74 ( 74307 ) <sydbarrett74.gmail@com> on Tuesday May 26, 2015 @02:32AM (#49773131)

      Quoted for truth.

      The POS terminal should be a single-purpose device, with nothing but the POS software suite running on it and that's it. If employees want to check email or play LatestGreatestGame, they can do it on their own fucking devices. Or maybe, just maybe, they can clean or do other work around the business. There's always some work that can be done at a retail establishment. 'If you have time to lean, you have time to clean.'

      • 0. Square qualifies as a POS system. It requires a browser. I'm not claiming this is good or secure, just that it is.

        1. Small businesses multitask at everything.

        2. You seem to misunderstand the small business employee mindset, especially in retail. Seems like you would be a lot of fun to work for.

        • by Anonymous Coward

          > Seems like you would be a lot of fun to work for.

          What possessed you to make you think that work has to be fun???

        • 2. You seem to misunderstand the small business employee mindset, especially in retail. Seems like you would be a lot of fun to work for.

          That's why it's called work and not 'happy fun time'.

      • by Toshito ( 452851 )

        Or you do like any other civilized country (you know, those who have free healthcare) and you do transactions with a chip card.

        Then you must have a pinpad attached to the cash register that communicates with the chip, validates the PIN, and encrypt the transaction before sending it to the cash register attached to it.

        The pinpad is owned and controlled by the acquiring company and/or the bank offering the acquiring services, the store can't do anything with it.

        That way the general purpose computer masqueradi

    • Re:E-mail client? (Score:5, Insightful)

      by PTBarnum ( 233319 ) on Tuesday May 26, 2015 @02:35AM (#49773141)

      In a small business, the owner/manager may well be sitting at the POS terminal to help customers, but also doing other business tasks in between. It would be great if they had different computers for this, but there may not be space/budget for that.

      In a larger system, there might be general purpose computers sitting on the same network as the POS system without proper firewalls between them. So the malware hits a general purpose system first, then uses that platform to attack the POS.

      • by pspahn ( 1175617 )

        Pretty much this. Also keep in mind that many businesses are still running old software that might need a terminal/emulator to run on modern hardware.

      • Re:E-mail client? (Score:5, Insightful)

        by Todd Knarr ( 15451 ) on Tuesday May 26, 2015 @02:51AM (#49773177) Homepage

        For the first, tough. If they can't properly handle other people's financial information like credit-card numbers and PINs, they shouldn't be handling that information. Just like with a restaurant that claims they can't afford to maintain proper sanitary conditions to prepare food for customers.

        As for the second, in larger organizations there's never any reason to have a general-purpose computer on the POS network that can access or be accessed from the outside world. I know, I helped build and maintain a national network of POS systems that maintained that separation. If corporate IT and the software vendor can't make it work, I'll be happy to quote an hourly rate for the work.

        • by doug141 ( 863552 )

          For the first, tough. If they can't properly handle other people's financial information like credit-card numbers and PINs, they shouldn't be handling that information. .

          Some merchants are not computer savvy, and have no idea they make their customers vulnerable by using their computer to check emails and browse the web with their out-dated and unpatched OS.

          • by umghhh ( 965931 )
            These are not 90ties anymore - go fix it or get bust. This is too important an issue to be left for ignorant to decide on basis of their own cost/benefit calculation especially as client's well being is not part of this calculation. Seems like a nice place for legislature to ask some tech savvy guys to specify what is absolutely needed for a regulation in an area. OC this is red tape and some such but I guess complex societal structures require appropriate solutions and isolation of certain part of your sys
            • Seems like a nice place for legislature to ask some tech savvy guys to specify what is absolutely needed for a regulation in an area.

              I see a regulation that spells out exactly what is required, a third or more of it is patented technology, and it can be bought from any good software vendor [microsoft.com]. Do you really want the government specifying what software is necessary? (I have some surplus Cover Oregon software for sale, cheap, BTW.)

              It is cost of doing business.

              The cost of having an easy, convenient credit system is abuse. If you want to be able to call someone up and order stuff using just a few words over the phone, and have it sent where you are and not just where so

              • by umghhh ( 965931 )
                The solutions are known more or less, at least to people that want to know. The problem are people that only look at bottom line and at things required of business by law. Maybe it works some other way - I see the odds for it to work are just against it unless somebody makes the cost of such actions necessary. I may be mistaken tho.
      • by swb ( 14022 )

        I see this at two clients with POS systems. They don't handle any cash or credit card transactions, everything is billed to internal accounts, but they still want to use some of the terminals for productivity software because the POS systems are underutilized as POS systems, they lack the space for additional productivity PCs and don't want to spend money on them anyway.

        I opposed it on principle in terms of providing advice, but as a matter of practicality since they're not handling real money or credit ca

      • Remember that target got nailed on the latter - POS systems accessed without any good firewall between networks.

      • Ironically, despite having less money after getting hacked, they might find that they really do have the budget for a little security.

    • Re:E-mail client? (Score:5, Interesting)

      by adolf ( 21054 ) <flodadolf@gmail.com> on Tuesday May 26, 2015 @02:51AM (#49773173) Journal

      I used to look after the POS machines for small chain of retail establishments.

      The reason that an e-mail client was on the POS machines was because the boss was cheap, and having separate machines for internal business and external transactions seemed expensive to him, even when business halts because some bored lackey decided that they needed the latest "OMG PONIES!!" screensaver on the fucking cash register.

      The reason that web browsers were on the POS machines was because Verizon are a bunch of fucks who couldn't be bothered to write a local client, but were perfectly content to always have a dependency on (old) Java and (old) Internet Explorer under (old) Windows.

      The reason that the the POS machines ran as Administrator was because my counterparts who were also charged with looking after said machines couldn't be bothered to get anything to work with regular user accounts, and would actively sabotage my efforts to improve security.

      The reasons that I no longer concern myself with the retail operations of that company are detailed above.

    • Re:E-mail client? (Score:4, Informative)

      by Whiteox ( 919863 ) on Tuesday May 26, 2015 @03:26AM (#49773269) Journal

      Email is there in Win XP and later. These POS terminals are full computers with a cash drawer underneath, merchant banking device and card swipe periperhals. They are networked to a local printer and mainly controlled by IT through remote desktop. They are typically in smaller shops with 2 or more terminals. They do stock control, daily cash calculations etc as they replace traditional Z type cash registers.
      Emails are sent by head office to all managers. Intranet and internet are available as well. So yes, they can be infected with spam emails.

    • by Anonymous Coward

      There is an ancient American proverb, circa 1980, which says: 'All software grows until it can send email'.

    • Check out your average tiny business, often a receptionist who might take email/phone bookings and put them into a web based appointment app on the same machine that is running the cash box and CC reader. Their PCI compliance is check all the correct boxes regardless of reality.

    • by tlhIngan ( 30335 )

      So, WTF is an e-mail client doing on a POS terminal in the first place? It doesn't need one, it shouldn't have one. Ditto a Web browser. You don't have to worry about vulnerabilities in software that isn't present on the machine in the first place. There are of course other things to be looked at, but those are a good starting point.

      In a small business of 1-4 people, the POS system is usually the only computer on the premises. POS systems are cheap and readily available and help businesses out, at least wit

    • by mlts ( 1038732 )

      What needs to be implemented on a POS terminal, if it has to run Windows, is AppLocker and other policy restrictions. I'd say even add DeepFreeze, so that if the terminal gets in some screwy state, a power cycle gets it back to normal. Updates can be handled by various mechanisms, be it a WSUS server if there are a lot of terminals, a USB flash drive with an installer on it, to get a machine to a known good patch level, or even a fresh image of the OS that gets copied over, which reads the terminals confi

  • retail management (Score:3, Informative)

    by roman_mir ( 125474 ) on Tuesday May 26, 2015 @03:03AM (#49773199) Homepage Journal

    I supply various systems, including retail chain management built with security by design. It is hard to achieve proper security in stores and offices, the users are so far away from being computer savvy it hurts. We move them off windows in many cases to Linux solutions. In any case POS should not be connected to the Internet. We set up linux machines as router / firewall and as a store management server. It talks to everything on the inside, it provides connectivity for the bank terminals, the cameras and another administrative computer. POS gets its instructiin s through it and offloads sales data to it and then everything is synchronized with the central system by it.
    The amount of crazy that happens in stores is staggering, almost inconceivable. We have to prevent meltdown with minimal resources and as little pain as possible but it is not easy when a retailer has a few stores and maybe one admin. Remote administration is vital, proper backup solutions are vital, the whole thine can degrade in no time if none is watching.

    • by Whiteox ( 919863 )

      Ermmm... This guy should not be modded down. What he stated is default in most smaller shops. There are variations like the POS program talks to a CC swipe machine to send item totals and receives receipt information.
      What got me was that in one particular case, they fired the whole IT support who set up the initial VPN Intranet and the new IT moved everything to internet. Really dumb.

  • "general-purpose PC running point-of-sale (PoS) .. PCs have all the usual vulnerabilities"

    Only when running Microsoft Windows and connected to the Internet.
  • Windows in it's default state is dangerous. It doesn't make any difference which version is involved.

    Using Windows were there is any sensitive information is the equivalent of promoting criminal activity. The only exception is if the system is tightly configured and continuously updated. In the real world a vanishingly small percentage of all Windows installations do the right thing.

    The only way this will ever change is if the organization (or person) responsible for the system is held accountable for any

  • I thought that word macros and such were a solved problem. Is anyone still running Office 97? After that, macros were disabled by default.

  • The case for the 'principle of least authority' has been made many times. People have even tried to design operating systems around it. But when the dominant PC operating system is simply designed to make its maker money and give them market dominance, stuff like this happens. PCs vulnerable to this sort of thing are the product of laziness and the business obsession with (and present-day necessity of) short time-to-market. Unfortunately modern business reality means people often cannot afford to make thing
  • 1995 called, they want their zero day exploits back.

    • In 1996-7 I was working at Electronics Boutique. Our POS machines were Win95 based, but so locked down that the only program it ran was the POS stuff. No Word, no browser, no nuthin.

      I wonder when it was that people forgot such basic security principles.

      • by Viol8 ( 599362 )

        The sort of people who set up these compromised systems probably never knew them in the first place.

  • This is what happens when you have employees who think they have a god given right to surf the internet and conduct personal business on company time and equipment.

    I'm sorry, you would not have that "right" in my shop. Especially these days with smart phones and tablets. You want to check your email or surf the web? Do it on your own god damned device, and it better damn well be after you've completed all your work, or on your break.

    Yes employees have rights, but so do employers. They have the right to

    • by Antique Geekmeister ( 740220 ) on Tuesday May 26, 2015 @07:08AM (#49773947)

      > This is what happens when you have employees who think they have a god given right to surf the internet

      Or when you have an employer mandate to check employee email about store policies, schedules, delivery dates, and inventory, verifying store hours for other branches, verifying alternative vendor prices for price matching, checking the weather for a customer buying exterior paint, looking up a product review or product specifications with a customer, or any of a dozen other uses. It is _embarrassing_ for a modern vendor to be unable to work with a customer checking the same information that the customer can obtain at home on their home computer, or to be unable to print out the specifications for a product that the vendor sells.

      Such terminals have become quite common and are much more necessary now that customers expect one store to be able to verify inventory or reserve an item before proceeding to another physical store. If they cannot do this, they will lose the sale to an online vendor.

      • On Another Site, someone asked (relatively recently) how to run a web browser on windows 3.1... on industrial computer controlling a bandsaw. At this point, Win 3.1 and any IE that could run on it would be not updateable. So let's allow our bandsaw controller to be pwn3d.

        People do stupid things.

  • If the network infra-structure allows for POS to connect to the Internet at large, the managers are idiots without a clue and are asking from problems. Probably sooner than later.
    • > If the network infra-structure allows for POS to connect to the Internet at large

      If it can't reach "the Internet at large", then it has to use modems and modem based access for credit card and debit card transactions. This is relatively slow, fragile, and expensive per transaction. Such devices are almost completely gone. Sadly, Windows XP is still commonly used on point-of-sale terminals. A typical vendor, like the one below, has _no_ Windows * based systems and supports only Windows XP and Windows 7

      • Improperly secured networks. Yes, you can use "internet connected" networks, but if you don't secure them properly, a simple PTP VPN tunnel connection, would allow for transactions ONLY (via VPN). If you don't allow any inbound, or outbound traffic, other than what transverses across the VPN, you can't have this kind of thing happen.

  • Why does a PoS computer have an email client installed?
    Why does a PoS computer have Microsoft Word installed?

    And why is the email client even running?

    A PoS computer should only be connected to an intranet and should only be running the PoS software. Everything else should be completely locked down. Someone messed up, big time.

    • A lot of different things can constitute a POS terminal today. For an iPad, you have Square, Shopify, and any number of other comparable packages. Pretty hard to eliminate an email client.

      At one end of the spectrum, many of these types of systems use cellular service for their internet connection; pretty hard to lock them down at the network level as well.

      The old model for these types of systems was to provide dedicated "appliances" to solve the problem. Costs were absurd, so merchants worked hard to fin

    • by mjwx ( 966435 )

      Why does a PoS computer have an email client installed?
      Why does a PoS computer have Microsoft Word installed?

      And why is the email client even running?

      A PoS computer should only be connected to an intranet and should only be running the PoS software. Everything else should be completely locked down. Someone messed up, big time.

      Are you going to pay for a custom built, fully audited single use OS, or a general purpose OS repurposed to use as a POS terminal.

      All the store managers picked the latter as the stores that used the former went out of business because the average punter does not value security (or worse yet, thinks the banks will protect them).

      Having dealt with POS terminals, there's a good reason I never use my card at a store.

  • by Kinthelt ( 96845 ) on Tuesday May 26, 2015 @09:48AM (#49774931) Homepage

    The real WTF in this scenario is why does the POS software have access to credit card numbers? A one-way transaction will have all credit card information go directly through the PINpad, without ever being exposed to the controlling PC.

    • by mjwx ( 966435 )

      The real WTF in this scenario is why does the POS software have access to credit card numbers? A one-way transaction will have all credit card information go directly through the PINpad, without ever being exposed to the controlling PC.

      Even then, you've still got weak links in the chain.

      Because banks charge per terminal, a lot of smaller chains/franchises use a generic terminals some software sitting on a PC out back so they can have multiple physical terminals presented to the customer but only one software terminal presented to the bank.

      PC EFTPOS [pceftpos.com] is one of the more popular ones I've seen in Australia and it is not unusual to see it sitting on the same PC that staff use to check their personal mail and cat videos.

      Having installe

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...