Verizon’s 2014 Data Breach Investigations Report (DBIR) is filled with some interesting and very important information about data breaches and where security threats are happening most often. When I talked about the DBIR last week, I focused on the nine basic patterns of data breaches. Today, I am going to focus on one of the top security threats mentioned in the DBIR, point of sales (POS) intrusions.
While I think 2014 is going to be known as the year of POS attacks, mainly because of all of the breaches that have made the news (and it is only the end of April), DBIR pointed out that we started to see this trend in force in 2013. As ZDNet quoted from the report:
From an attack pattern standpoint, the most simplistic narrative is as follows: Compromise the POS device, install malware to collect magnetic stripe data in process, retrieve data, and cash in. All of these attacks share financial gain as a motive, and most can be conclusively attributed (and the rest most likely as well) to organized criminal groups operating out of Eastern Europe.
Such groups are very efficient at what they do; they eat POSs like yours for breakfast, then wash ‘em down with a shot of vodka. While the majority of these cases look very much alike, the steps taken to compromise the point-of-sale environment offer some interesting variations.
In an email to me, Tom Cross, director of security research with Lancope, explained why POS is so popular among attackers. POS terminals that are directly connected to the Internet by small businesses represent low-hanging fruit that is incredibly easy to pluck. Cross added:
In the past year we know that POS malware was used in much more sophisticated attacks against larger, better defended retail establishments. This process mirrors what we expect to see with other kinds of embedded systems associated with the Internet of Things. If there is a business model associated with attacking devices, it will be pursued, and it will first impact systems that are easy to compromise. If those attacks prove lucrative, we’ll see them replicated in increasingly sophisticated attacks that get at devices that are more heavily defended. What drives all of this activity is the opportunity to make money.
One other point about POS systems caught my eye. One of the recommendations is to avoid using POS systems for anything other than POS activities. Thanks in part, but not solely, to BYOD, the lines of how we use devices of any kind have blurred, but as Adam Kujawa, head of malware intelligence at Malwarebytes, told me in an email, it is more important than ever to keep work systems for work purposes only:
Although many organizations want to reach out and provide a social presence to their customers, it’s necessary to understand the risks they take when doing so from a company computer. Malware, phishing, watering hole attacks and drive-by exploits are only a few of the possible threats faced by users on company networks but especially so when considering social media. The practice of operation security goes beyond ensuring that you have set your privacy settings correctly on Facebook, but also being aware that while one single piece of data by itself might not be dangerous, gathering multiple pieces of data and finding the connection makes it highly useful.