I had an opportunity to speak with a gentlemen, who is the head of security for a large, national company that deploys very popular POS systems for retailers, restaurants, hotels, etc. (So that I do not come across as attacking him or the company he works for, both shall remain anonymous. For the purpose of this article, we’ll call him John Doe)
During our conversation, I asked John what they typically do to secure the POS systems that they deploy. John’s answers helped me understand why it is so common to see cyber attacks on retailers.
“The most common thing we do”, John says, “is nothing.”
“When we come into the environment to install the POS system, the owner or manager of the business typically doesn’t want to spend more money to secure the systems.”
I’m not a bit surprised, as someone in cybersecurity, but still quite disconcerting. Customer credit cards are being run through that system, and most of those systems are not even secured, let alone secured properly.
“Okay, but what about those that are willing to pay for a few hours of labor John?” I asked, hoping that those that are trying, are at least somewhat successful at protecting my credit card information.
“Well, if they do want some security, we typically install a Firewall and if they’re willing to pay for a little more time, we’ll segment the systems into a VLAN environment. Maybe even whitelist the application.” John says, perking up.
“That’s great John,” I say, “so the systems are layered behind a firewall, even one with VLANs, and with some moderate antivirus software, they should be fairly well protected.”
“Now wait a minute!” John says smiling, “they can’t afford to run any antivirus on these machines.”
“What do you mean, they can’t afford antivirus?! John, a typical antivirus program is only about $40-$60 per year. Surely that’s not too much money?!”, I exclaimed.
“Money is not the problem Anton. The problem is that updates to the system, updates to the software, even updates to the antivirus, will cause glitches and that will bring the system down.”, John replies.
“But John, come on man, no one is so sensitive, that they are willing to risk not patching a system.”, I say in disbelief.
John explains, “Anton, these guys don’t patch Windows for years. Take a typical Micros POS system for example. These POS systems are so complex and so sensitive to changes that even Java doesn’t get updated. Not only are they not running Antivirus, but they also aren’t even updating Windows, Micros, Java, or anything on those machines, because they are afraid of them going down.”
“That’s not good, John.”, I say, shaking my head, “That’s not good at all. That means that most of these Micros POS systems are not patched, for years, from any angle. They barely sit behind a perimeter defense (Firewall), and these are the same systems that are processing our credit cards.”
We stand silently, as John nods his head.
“I travel a good bit for work John, no wonder my credit cards numbers get stolen every year.”, I said.
John nods his head again.
John and I talked for a while longer, but I think this little bit of the conversation is enough to communicate my point here.
I believe I understand the “whitelist” argument that John is making.
In short, it’s a start, but I would not say it is sufficient.
John is whitelisting at the PC level. This works, so long as the PC is not compromised, and does not have any easily exploitable vulnerabilities. This is not the environment these Micros POS systems are in today.
It seems to me that retailers are some of the biggest targets for cyber attacks because they are notorious for constantly putting dependability over security. That’s because it’s so easy to fall into the trap of “it’s working now, so for Pete’s sake, don’t do anything to it anymore.”
Because of this mentality, update implementations are delayed which grants attackers access to hacking well-known vulnerabilities.
Vulnerabilities discovered by research teams also called “zero-day vulnerability”, are much less likely to be actually unknown by attackers. It is far more likely that an attacker, who has a lot more financial incentive to discover a vulnerability, has been exploiting it for some time, prior to the researchers finding it.
To further compound the problem, once a research team discovers the vulnerability, it then shares it with everyone and makes it public knowledge. So if the attackers didn’t know about it before, they sure know now; putting everyone who hasn’t patched a system for that vulnerability at risk.
In a typical retail environment, Micros POS systems, for example, are not updated regularly; neither is the operating system it is running on. This means that not only is the Micros POS software open to known vulnerabilities but so is the operating system.
Furthermore, while a VLAN environment would help isolate and protect a system, such as Micros, so that there’s no easy way to access the system, the Micros POS server is still typically running an older version of Windows 7. These Micros POS servers that are running Windows 7, do not commonly receive regular patching, let alone the Micros application itself receiving patching. This means that a motivated attacker could use a known vulnerability against that system, potentially bypassing the perimeter defenses (VLAN on the Firewall).
Back in January 2018, a research team with ERPScan discovered a Micros Vulnerabilities which “…enables reading files from POS systems remotely without authentication and allows accessing the configuration file that stores sensitive information including passwords. The security issue allows full access to OS that will be subject to such risks as… fraud. Cybercriminals may exploit the system… for example, pilfer credit card numbers.”
Knowing what I know now about retail patching practices, I think it is safe to say that the majority of the Micros POS systems out there are still vulnerable to this attack.
The next time I go out to a restaurant or stay at a hotel, I’ll be sure to use my credit card and not my debit card.
If you’re interested in learning more, or perhaps in securing your own networks, contact us and let’s talk.
We have client’s that run Micros POS systems, but our clients value security. I can say that confidently because they’re investing in security to protect them, and we certainly are not going to sit by and allow our client’s systems to be this vulnerable.