Attackers Use Email Spam To Infect Point-of-Sale Terminals

jfruh writes: Point-of-sale software has meant that in many cases where once you'd have seen a cash register, you now see a general-purpose PC running point-of-sale (PoS) software. Unfortunately, those PCs have all the usual vulnerabilities, and when you run software on it that processes credit card payments, they become a tempting target for hackers. One of the latest attacks on PoS software comes in the form of malicious Word macros downloaded from spam emails.

Predictable

That's what happens when you embed Linux in your appliances...

It seems to happen all the time.

Re:Predictable

You are a tool. And not just any tool. You are a fucking scumbag troll of a tool. You know damn-well that it's Windows on these Piece of Shit, er, I mean Point of Sale terminals. Did you see the part about a Word virus? How are these PoS terminals running Word do you think?

Crawl back into your grimy little hole you dirty little troll and jerk yourself silly, mkay?

Re:Predictable

[GLMDesigns]

I think you missed the invisible /sarc tag at the end of his post.

E-mail client?

[Todd+Knarr]

So, WTF is an e-mail client doing on a POS terminal in the first place? It doesn't need one, it shouldn't have one. Ditto a Web browser. You don't have to worry about vulnerabilities in software that isn't present on the machine in the first place. There are of course other things to be looked at, but those are a good starting point.

Re:E-mail client?

[sydbarrett74]

Quoted for truth.

The POS terminal should be a single-purpose device, with nothing but the POS software suite running on it and that's it. If employees want to check email or play LatestGreatestGame, they can do it on their own fucking devices. Or maybe, just maybe, they can clean or do other work around the business. There's always some work that can be done at a retail establishment. 'If you have time to lean, you have time to clean.'

Re:E-mail client?

[PTBarnum]

In a small business, the owner/manager may well be sitting at the POS terminal to help customers, but also doing other business tasks in between. It would be great if they had different computers for this, but there may not be space/budget for that.

In a larger system, there might be general purpose computers sitting on the same network as the POS system without proper firewalls between them. So the malware hits a general purpose system first, then uses that platform to attack the POS.

Re:E-mail client?

Not that I've actually worked professionally on a POS terminal, but it's fairly common these days to see terminals that are pretty much a browser either in kiosk mode or wrappered in another app.

Re:E-mail client?

[pspahn]

Pretty much this. Also keep in mind that many businesses are still running old software that might need a terminal/emulator to run on modern hardware.

Re:E-mail client?

[adolf]

I used to look after the POS machines for small chain of retail establishments.

The reason that an e-mail client was on the POS machines was because the boss was cheap, and having separate machines for internal business and external transactions seemed expensive to him, even when business halts because some bored lackey decided that they needed the latest "OMG PONIES!!" screensaver on the fucking cash register.

The reason that web browsers were on the POS machines was because Verizon are a bunch of fucks who couldn't be bothered to write a local client, but were perfectly content to always have a dependency on (old) Java and (old) Internet Explorer under (old) Windows.

The reason that the the POS machines ran as Administrator was because my counterparts who were also charged with looking after said machines couldn't be bothered to get anything to work with regular user accounts, and would actively sabotage my efforts to improve security.

The reasons that I no longer concern myself with the retail operations of that company are detailed above.

Re:E-mail client?

[Todd+Knarr]

For the first, tough. If they can't properly handle other people's financial information like credit-card numbers and PINs, they shouldn't be handling that information. Just like with a restaurant that claims they can't afford to maintain proper sanitary conditions to prepare food for customers.

As for the second, in larger organizations there's never any reason to have a general-purpose computer on the POS network that can access or be accessed from the outside world. I know, I helped build and maintain a national network of POS systems that maintained that separation. If corporate IT and the software vendor can't make it work, I'll be happy to quote an hourly rate for the work.

Re:E-mail client?

[Whiteox]

Email is there in Win XP and later. These POS terminals are full computers with a cash drawer underneath, merchant banking device and card swipe periperhals. They are networked to a local printer and mainly controlled by IT through remote desktop. They are typically in smaller shops with 2 or more terminals. They do stock control, daily cash calculations etc as they replace traditional Z type cash registers.
Emails are sent by head office to all managers. Intranet and internet are available as well. So yes, they can be infected with spam emails.

Re:E-mail client?

There is an ancient American proverb, circa 1980, which says: 'All software grows until it can send email'.

Re:E-mail client?

[swb]

I see this at two clients with POS systems. They don't handle any cash or credit card transactions, everything is billed to internal accounts, but they still want to use some of the terminals for productivity software because the POS systems are underutilized as POS systems, they lack the space for additional productivity PCs and don't want to spend money on them anyway.

I opposed it on principle in terms of providing advice, but as a matter of practicality since they're not handling real money or credit card information the risk is a lot less.

Re: E-mail client?

[rickb928]

0. Square qualifies as a POS system. It requires a browser. I'm not claiming this is good or secure, just that it is.

1. Small businesses multitask at everything.

2. You seem to misunderstand the small business employee mindset, especially in retail. Seems like you would be a lot of fun to work for.

Re:E-mail client?

[silas_moeckel]

Check out your average tiny business, often a receptionist who might take email/phone bookings and put them into a web based appointment app on the same machine that is running the cash box and CC reader. Their PCI compliance is check all the correct boxes regardless of reality.

Re: E-mail client?

0. Square qualifies as a POS system. It requires a browser. I'm not claiming this is good or secure, just that it is.

1. Small businesses multitask at everything.

2. You seem to misunderstand the small business employee mindset, especially in retail. Seems like you would be a lot of fun to work for.

The small-business mindset when it comes to purchasing POS hardware is the same the world over. Uneducated at best.

When the small business owner is being sold a POS solution, they're looking for the best price and what will meet their basic needs as a POS system. Security is assumed to be the vendor/manufacturer responsibility, which of course goes to shit when the POS system is running Windows XP Home OS.

Now the question here is who do you blame for putting a full Windows OS on a POS terminal?

Good luck chasing that down. I'm sure the finger pointing will be fun, especially when you get hacked.

Re:E-mail client?

So they may need email on these cash registers. But why word? Word is not only a security risk, it also cost extra. It is not included with windows. Surely, they aren't writing business letters on the cash registers. Simple stuff like replying to the manager that "we have now cleaned the mess in the fruit aisle as you said" can be done with simple email.

Re:E-mail client?

[doug141]

For the first, tough. If they can't properly handle other people's financial information like credit-card numbers and PINs, they shouldn't be handling that information. .

Some merchants are not computer savvy, and have no idea they make their customers vulnerable by using their computer to check emails and browse the web with their out-dated and unpatched OS.

Re: E-mail client?

> Seems like you would be a lot of fun to work for.

What possessed you to make you think that work has to be fun???

Re: E-mail client?

[umghhh]

The cars have to have (among other things) working brakes, lights etc. Your car does not have those then it usually is not allowed on the public road. I think software security or rather IT related criminality grew up in importance so much as to mandate legal requirement on businesses to for instance isolate particular parts of your system from other parts of your system. Retail or not if they have to know any details of your financial well being they must be able to be trusted to know such details. The only way to deal with general public ignorance on matters that count as important for well being of general public is by laws and law enforcement.
OC businesses will go cheap if they can - the dedicated device is not cheap thus it will be replaced by generic one where everybody can do whatever they want to. A customer cannot be even expected to know status of security in a shop or even to know the difference between different pieces of intelligent HW in the shop. One cannot expect the owner to know that either - they follow the bottom line and law. If one (bottom line) is not clearly and directly indicating them not to do things then the other has to.

Re:E-mail client?

[umghhh]

These are not 90ties anymore - go fix it or get bust. This is too important an issue to be left for ignorant to decide on basis of their own cost/benefit calculation especially as client's well being is not part of this calculation. Seems like a nice place for legislature to ask some tech savvy guys to specify what is absolutely needed for a regulation in an area. OC this is red tape and some such but I guess complex societal structures require appropriate solutions and isolation of certain part of your systems is not even that complex - neither to do nor to understand. It is cost of doing business.

Re:E-mail client?

[tlhIngan]

So, WTF is an e-mail client doing on a POS terminal in the first place? It doesn't need one, it shouldn't have one. Ditto a Web browser. You don't have to worry about vulnerabilities in software that isn't present on the machine in the first place. There are of course other things to be looked at, but those are a good starting point.

In a small business of 1-4 people, the POS system is usually the only computer on the premises. POS systems are cheap and readily available and help businesses out, at least with stuff like inventory management. (This is especially tricky with stores where there's a breadth of products, but not much depth).

And being the only computer, it's often used for online commerce - the store may have a simple Shopify style website that sells products, and thus have email and everything. Do it right and the two can often work together, so online sales draws down from the inventory database.

And no, these companies are way too small to have a proper client-server POS solution, and often don't have the space for more than one computer, period.

Though, usually they're also too small to have an integrated POS solution - a manual terminal to process card payments is usually the standard rather than even working with the POS system...

Re:E-mail client?

[Obfuscant]

Seems like a nice place for legislature to ask some tech savvy guys to specify what is absolutely needed for a regulation in an area.

I see a regulation that spells out exactly what is required, a third or more of it is patented technology, and it can be bought from any good software vendor. Do you really want the government specifying what software is necessary? (I have some surplus Cover Oregon software for sale, cheap, BTW.)

It is cost of doing business.

The cost of having an easy, convenient credit system is abuse. If you want to be able to call someone up and order stuff using just a few words over the phone, and have it sent where you are and not just where someone can steal it off your front step, then there will be people who can take advantage of that.

Re: E-mail client?

[OrangeTide]

I think Microsoft should be held liable for Word and Excel. These have been a major security problem for almost two decades now.

Re:E-mail client?

[mlts]

What needs to be implemented on a POS terminal, if it has to run Windows, is AppLocker and other policy restrictions. I'd say even add DeepFreeze, so that if the terminal gets in some screwy state, a power cycle gets it back to normal. Updates can be handled by various mechanisms, be it a WSUS server if there are a lot of terminals, a USB flash drive with an installer on it, to get a machine to a known good patch level, or even a fresh image of the OS that gets copied over, which reads the terminals config files stashed on a separate volume.

AppLocker or something that blocks executables would have stopped this attack cold.

Re:E-mail client?

[cant_get_a_good_nick]

Remember that target got nailed on the latter - POS systems accessed without any good firewall between networks.

Re:E-mail client?

[Toshito]

Or you do like any other civilized country (you know, those who have free healthcare) and you do transactions with a chip card.

Then you must have a pinpad attached to the cash register that communicates with the chip, validates the PIN, and encrypt the transaction before sending it to the cash register attached to it.

The pinpad is owned and controlled by the acquiring company and/or the bank offering the acquiring services, the store can't do anything with it.

That way the general purpose computer masquerading as a cash register can't even log the credit card number because everything is encrypted.

Re:E-mail client?

[umghhh]

The solutions are known more or less, at least to people that want to know. The problem are people that only look at bottom line and at things required of business by law. Maybe it works some other way - I see the odds for it to work are just against it unless somebody makes the cost of such actions necessary. I may be mistaken tho.

Re:E-mail client?

You shouldn't be able to have "OMG PONIES!!" on the POS terminal. Libraries made some progress figuring this out.

The POS terminal should have an OS on FlashROM, installed via a trusted means with some PKI and verification in place. The runtime of the OS should be completely stateless besides some caching and settings. Reboot should clean the box to factory state + settings and it should be rebooted daily (ideally hooked to the light switch). ...and all this should be regulated industry and a requirement for payment processing. Encrypting any CC# storage should be mandatory. I blame Square for making this almost too easy.

Re:E-mail client?

[penguinoid]

Ironically, despite having less money after getting hacked, they might find that they really do have the budget for a little security.

Re: E-mail client?

[sydbarrett74]

2. You seem to misunderstand the small business employee mindset, especially in retail. Seems like you would be a lot of fun to work for.

That's why it's called work and not 'happy fun time'.

Re:Is he on TARGET?

[Guy+Harris]

Or has he missed? If you know what I mean. Do you know mean? Know? Know what I mean?

No, I don't.

Re:Is he on TARGET?

[Guy+Harris]

Or has he missed? If you know what I mean. Do you know mean? Know? Know what I mean?

No, I don't.

(And, yes, that breakin was mentioned in TFA.)

Why are those even connected to the open internet?

That is truly beyond me. There ought to be competent CTOs out there. Why don't they connect those to some heavily fenced intranet/VPN? And why don't they generally disable unnecessary hardware physically (USB, DVD...)?

emailz r gittin haxx0rz in ur PoS

cuz bein a PoS r no bein PoS enuf

Windows XP, not Linux

That's what happens when you embed Linux in your appliances

Linux?

Most POS systems that I have encountered run WinXP

Re:Windows XP, not Linux

I think GP might have been an attempt at sarcasm. Either that or really stupid.

Re:Windows XP, not Linux

[jandersen]

Most POS systems that I have encountered run WinXP

From the article:

One of the latest attacks on PoS software comes in the form of malicious Word macros downloaded from spam emails.

It looks like you might be right.

Re:Windows XP, not Linux

So POS systems use POS security, is that it?

Re:Windows XP, not Linux

[rudy_wayne]

This raises a couple of obvious questions: Why does a cash register have an e-mail client installed and capable of receiving e-mail? Why does a cash register have Word installed?

Once again, stupidity and incompetence trumps everything.

Re:Windows XP, not Linux

[ihtoit]

because word macros are still fundamentally tied to the way the kernel works with metafiles (ie the first thing it does with any binary object is try to execute it), and Windows xp comes wth an email client installed by default (Outlook Express) which for some unknown reason and unlike earlier versions of Windows (any from the 9x stable spring to mind) you can't deselect it from optional component install.

Re:Windows XP, not Linux

[Mr+D+from+63]

An email client may be installed by default, but it is not a threat unless it is set up with an account, and the account is used.

Re:Windows XP, not Linux

[ihtoit]

that wasn't the question, but OK :)

I've dealt with POS systems myself, as recently as 2007. From the ground up, and using hardware supplied by the client, I ended up with a custom NT4 build (needed for the barcode scanner, I wasn't about to drop a DOS based system on it), connected to a SuSE backend and airgapped from the Internet. The NT system ran on 16MB of RAM, and last time I looked (2013) it was still running on the same system build, same hardware and same backend. With eight simple rules the client has never had a problem with the system - he's had to replace one barcode scanner.

1. There is one USB port, and that is on the backend machine.
2. That port is for one data drive that is supplied with the system.
3. When you plug that data drive in, the system copies the data you need itself. When the red light goes out, unplug the drive.
4. When you've done with the data on the drive (ie when you've emailed it from another machine), format the drive*.
5. Nothing else ever gets plugged into that USB port.
6. No other data ever gets written onto that USB drive.
7. There is no network port on the NT box. Don't ever install one.
8. There is no network port on the backend system. Don't ever install one.

*The backend box formatted the drive on insertion anyway prior to the data write, this just gave the client some sense of interaction.

Re:Windows XP, not Linux

[jbengt]

Who says it was the cash register receiving e-mails? It may well have been the back-end server, which, for small businesses, could easily be a regular PC, maybe even dual purposed as the owner's workstation.

Re:Windows XP, not Linux

This raises a couple of obvious questions: Why does a cash register have an e-mail client installed and capable of receiving e-mail? Why does a cash register have Word installed?

Once again, stupidity and incompetence trumps everything.

Because the general view nowadays is that POS is not "Point of Sale" but "Point of Service." The desire is to be able to provide more than just a calculator. I can envision a system where forms are used to complete a sale. Maybe Word or Excel. Not the brightest way to go, but is it better to hire a programmer to write and maintain something that Word can easily do?

That being said, this is just another example of social engineering by thieves. Nothing more. Although I have to hand it to them to take the effort to find the emails of sales associates.

Re:Windows XP, not Linux

[kilodelta]

Indeed - back in the late 90's I worked for a company that sold POS software. It was installed on Windows NT4 and Windows 2000 machines.

Nowadays I believe XP is the dominant system.

Re:Windows XP, not Linux

I used to sell Debian based POS systems. They weren't +10 secure by default, but they certainly didn't have email capabilities, nor a web browser. With a set of good iptables rules I think they were as close as one could get to secure via the internet. After ten years the access logs are still pristine.

Re:Windows XP, not Linux

It used to be that a register only needed to do basic calculations, then credit card transactions. Now, they are a lot more complicated, especially with EMV, Apple Pay, SmartCard, CurrenC, Google Wallet, PayPal, NFC, and all the other pay standards out there. Since these standards rarely stay static, where in the past an embedded QNX appliance could do the job well, it requires pretty much a Windows PC that can be easily updated via a MSI files.

Since a business requires Apple Pay or shut their doors, having to move to a POS machine that is "smart" is a part of life.

Re:Windows XP, not Linux

[mlts]

I do see a lot of XPe (XP Embedded) point of sale installations around my neck of the woods.

Cash registers have two odd quantities. On one hand, they need good security. On the other hand, they may need to keep up with the latest things. At the minimum, EMV credit cards, but things like various payment items from a cellphone are can be needed as well.

Maybe POS machines should be split up into two VMs:

One part does the item totaling, inventory, calculations, purchase/returns, and other parts which stay pretty much static. Even EMV credit card processing can be added here.

The second VM would be just for handling the latest and greatest e-pay stuff, be it ISIS, SoftCard, PayPal, Google Wallet, Apple Wallet, CurrenC, Bitcoin, AltCoin, Namecoin, DogeCoin, pyreals, gil, ounces of precious metals, platinum pieces, and so on. This VM pretty much gets the total transaction amount from the other VM, and does a purchase, audit, or return.

Add a decent hypervisor coupled with a decent snapshot/backup mechanism, and this would provide adequate security and separation of functions.

Done right, it can be done relatively seamlessly, and would limit what happens if one side gets compromised.

Re:Windows XP, not Linux

[Krojack]

You mean kinda like bank's ATM's that blue screen?

Re:Windows XP, not Linux

It is unlikely the cash register received the email. The cash register (actually a POS) is probably hooked up to the network the email receiving computers are hooked up to. That way the cash register can send all sorts of sales data to a central computer at the end of the day and stuff like that. Once the malware is on a computer on the network it is programed to spread itself to the POS systems also on the network. The POS systems themselves might even be set up for remote login.

Re:Windows XP, not Linux

I install, upgrade and maintain (fix) POS systems, networks and VOIP systems for several large retailers (so, posting as anon).

For the big-box stores, software installations vary by retailer - some are Linux, some are Win XP (even some brand-spanking new self-checkout units we're installing) and others are Windows 7.

Most of the systems are built sufficiently specific that you have to plug the correct device in to the correct USB (or other) port or it will not work, and some of the registers don't even have hard drives (most do, not entirely sure why). They do have some other things which I think they shouldn't have but I'm not going to comment on them here.

Network practices over the last 2-ish years have been migrating to add at least a small amount of security: registers go on separate VLAN to Kiosks which go on a separate VLAN to VOIP which go on a separate VLAN to manager PCs, time clocks and what-have-you, and devices tend to need to be authenticated through 802.1x and switch/port configurations are sufficiently specific that you can't even go switching one register to another without having to reset the port.

So someone opening a virus-laden document isn't likely to be infecting a point of sale device anyway, because the two machines can't even communicate. And, of course, all the devices are airgapped from the Internet - stores might have a T-1 or DSL or Satellite or 3G (sometimes all 4 depending on where they are) with a router-established VPN connection to HQ.

Software updates happen according to the retailer and the system they use - the software is either custom written for the retailer and used in all stores nationwide or a customized version of something which may be the case if you have a chain that owns several "brands" of store - but the software is just like any other program you might use and the updates are applied in the same way you might update Windows or Chrome or whatever (pushed and applied on restart - not done by the operator of the terminal). Some places (the more "budget" chains, who are usually the same chains running Linux) don't get upgrades so frequently, or ever (I've seen 2.4 this year).

But, the register itself doesn't matter when it comes to things like EMV credit cards - that's the payment terminal (usually provided and installed by a completely different company) - so long as the software understands the payment terminal, you're golden with any new form of payment. All of the actual processing is done by a pair of big honking servers in the back, so since you have several machines and operators interfacing with them with a physically separate machine doing all the other stuff already, there's no need for hypervisors or VMs or any of that.

I'm not saying it's impossible to get in to these machines and infect them with something, but the problem as it is being described seems to relate more to the smaller guys that don't have the IT/security expertise they need to set up a good secure system... or some of the large companies that are being a bit lazy/slow about upgrades/fixing their stuff (I know who you are!)

retail management

[roman_mir]

I supply various systems, including retail chain management built with security by design. It is hard to achieve proper security in stores and offices, the users are so far away from being computer savvy it hurts. We move them off windows in many cases to Linux solutions. In any case POS should not be connected to the Internet. We set up linux machines as router / firewall and as a store management server. It talks to everything on the inside, it provides connectivity for the bank terminals, the cameras and another administrative computer. POS gets its instructiin s through it and offloads sales data to it and then everything is synchronized with the central system by it.
The amount of crazy that happens in stores is staggering, almost inconceivable. We have to prevent meltdown with minimal resources and as little pain as possible but it is not easy when a retailer has a few stores and maybe one admin. Remote administration is vital, proper backup solutions are vital, the whole thine can degrade in no time if none is watching.

Re:retail management

[Whiteox]

Ermmm... This guy should not be modded down. What he stated is default in most smaller shops. There are variations like the POS program talks to a CC swipe machine to send item totals and receives receipt information.
What got me was that in one particular case, they fired the whole IT support who set up the initial VPN Intranet and the new IT moved everything to internet. Really dumb.

Re:retail management

roman wasn't actually modded down. his posts start with a score of -1 due to his extensive history of abusive posting and using slashdot as a recruitment tool for his religious causes. the only moderations that have been applied to this comment thus far have been positive, as for a change he left his religion at the door and was not abusive in his posting.

When your PoS runs PoS software, you're fucked

and when doesn't it?

Re:Why are those even connected to the open intern

[jandersen]

There ought to be competent CTOs out there.

Two questions for you:

1: What have you been smoking?
2: Can I have some?

I think 'competent' and 'CTO' in the same sentence probably constitutes a contradiction in terms.

(PoS) PCs have all the usual vulnerabilities?

[nickweller]

"general-purpose PC running point-of-sale (PoS) .. PCs have all the usual vulnerabilities"

Only when running Microsoft Windows and connected to the Internet.

Re:Why are those even connected to the open intern

White-nose bat guano. What's it to you?

Can you handle white-nose dude guano?

Windows is a crime

[Required+Snark]

Windows in it's default state is dangerous. It doesn't make any difference which version is involved.

Using Windows were there is any sensitive information is the equivalent of promoting criminal activity. The only exception is if the system is tightly configured and continuously updated. In the real world a vanishingly small percentage of all Windows installations do the right thing.

The only way this will ever change is if the organization (or person) responsible for the system is held accountable for any sensitive data leaks. Accountability must include fines, monetary indemnification and criminal liability. In plain English, that means if you screw up and loose someone's private info, you are on the hook for paying a fine and compensating the victim for all their losses, including the time they spend dealing with the mess. And if the breach is significant enough, you should be facing a criminal trial and serious jail time.

If this was in place there would be very few data breaches, obviously. I also think that it would be better for the overall economy, because the cost of data loss would be accounted for. Right now the cost accrues to the victim and so the real economic damage is invisible. It's the same situation as a manufacturing company not paying for waste disposal because they can get away with dumping their trash on the neighbors property.

Of course this will never happen because Profit!

But. I thought that this was solved

[Pikoro]

I thought that word macros and such were a solved problem. Is anyone still running Office 97? After that, macros were disabled by default.

History is frustrating

[John+Allsup]

The case for the 'principle of least authority' has been made many times. People have even tried to design operating systems around it. But when the dominant PC operating system is simply designed to make its maker money and give them market dominance, stuff like this happens. PCs vulnerable to this sort of thing are the product of laziness and the business obsession with (and present-day necessity of) short time-to-market. Unfortunately modern business reality means people often cannot afford to make things properly anymore.

A word macro??

[Viol8]

1995 called, they want their zero day exploits back.

Re:A word macro??

[sabbede]

In 1996-7 I was working at Electronics Boutique. Our POS machines were Win95 based, but so locked down that the only program it ran was the POS stuff. No Word, no browser, no nuthin.

I wonder when it was that people forgot such basic security principles.

Re:A word macro??

[Viol8]

The sort of people who set up these compromised systems probably never knew them in the first place.

Employees think the POS is their personal computer

[bjwest]

This is what happens when you have employees who think they have a god given right to surf the internet and conduct personal business on company time and equipment.

I'm sorry, you would not have that "right" in my shop. Especially these days with smart phones and tablets. You want to check your email or surf the web? Do it on your own god damned device, and it better damn well be after you've completed all your work, or on your break.

Yes employees have rights, but so do employers. They have the right to not have their equipment fucked up by ignorant employees who fall for the latest click-bait headline or flashy-shiny desktop icon thinngymabob that compromise their entire business.

Does the infra-structure allow for this?

[ruir]

If the network infra-structure allows for POS to connect to the Internet at large, the managers are idiots without a clue and are asking from problems. Probably sooner than later.

Re:Does the infra-structure allow for this?

[Antique+Geekmeister]

> If the network infra-structure allows for POS to connect to the Internet at large

If it can't reach "the Internet at large", then it has to use modems and modem based access for credit card and debit card transactions. This is relatively slow, fragile, and expensive per transaction. Such devices are almost completely gone. Sadly, Windows XP is still commonly used on point-of-sale terminals. A typical vendor, like the one below, has _no_ Windows * based systems and supports only Windows XP and Windows 7.

                http://www.barcodesinc.com/p/

Re:Does the infra-structure allow for this?

[Archangel+Michael]

Improperly secured networks. Yes, you can use "internet connected" networks, but if you don't secure them properly, a simple PTP VPN tunnel connection, would allow for transactions ONLY (via VPN). If you don't allow any inbound, or outbound traffic, other than what transverses across the VPN, you can't have this kind of thing happen.

ATM's too

Remember when an ATM crashed at Carnegie Mellon school, and the students ran media player on it to play some music? Sadly the video seems to have gone.

If only they'd know, they could have started terminal or sent commands to the serial and told the cash mechanism to dispense money.

I'm sure people will try to defend this, but nobody wants this crap, its just the manufacturers slapping software onto a PC and calling it a POS machine without revealing that its just a PC and vulnerable to everything their home PC is.

Re:Employees think the POS is their personal compu

[Antique+Geekmeister]

> This is what happens when you have employees who think they have a god given right to surf the internet

Or when you have an employer mandate to check employee email about store policies, schedules, delivery dates, and inventory, verifying store hours for other branches, verifying alternative vendor prices for price matching, checking the weather for a customer buying exterior paint, looking up a product review or product specifications with a customer, or any of a dozen other uses. It is _embarrassing_ for a modern vendor to be unable to work with a customer checking the same information that the customer can obtain at home on their home computer, or to be unable to print out the specifications for a product that the vendor sells.

Such terminals have become quite common and are much more necessary now that customers expect one store to be able to verify inventory or reserve an item before proceeding to another physical store. If they cannot do this, they will lose the sale to an online vendor.

WTF

[ArcadeMan]

Why does a PoS computer have an email client installed?
Why does a PoS computer have Microsoft Word installed?

And why is the email client even running?

A PoS computer should only be connected to an intranet and should only be running the PoS software. Everything else should be completely locked down. Someone messed up, big time.

Re: WTF

Agreed, but, show us a packet of sales data to visa and an reply are sent, what application, would they use? What program by visa, Microsoft, and the federal reserve use, in common? And I'm picking on visa as the easiest to remember of the bunch.

Re:WTF

[aaarrrgggh]

A lot of different things can constitute a POS terminal today. For an iPad, you have Square, Shopify, and any number of other comparable packages. Pretty hard to eliminate an email client.

At one end of the spectrum, many of these types of systems use cellular service for their internet connection; pretty hard to lock them down at the network level as well.

The old model for these types of systems was to provide dedicated "appliances" to solve the problem. Costs were absurd, so merchants worked hard to find alternatives. It has taken about 18 years to get to this point. (Second linux project I was interested in was a POS system, back in 1997...) Not every shop has an IT guy on staff... and not all IT guys are experts at security, networking, or much more than rebooting the system when it has a problem.

Re:WTF

[mjwx]

Why does a PoS computer have an email client installed?
Why does a PoS computer have Microsoft Word installed?

And why is the email client even running?

A PoS computer should only be connected to an intranet and should only be running the PoS software. Everything else should be completely locked down. Someone messed up, big time.

Are you going to pay for a custom built, fully audited single use OS, or a general purpose OS repurposed to use as a POS terminal.

All the store managers picked the latter as the stores that used the former went out of business because the average punter does not value security (or worse yet, thinks the banks will protect them).

Having dealt with POS terminals, there's a good reason I never use my card at a store.

Re: WTF

Agreed, but, show us a packet of sales data to visa and an reply are sent, what application, would they use? What program by visa, Microsoft, and the federal reserve use, in common?

I don't know, ICVerify? It talks to a known server that can be whitelisted in the firewall. Visa/MC sure as fuck aren't shuttling Word documents back and forth over email to approve credit card transactions.

Re: Employees think the POS is their personal comp

Its not the employee. Think of it this way.Timmie's market has to use a over the counter pos system to talk with visa for approval of a sale. One carrot, how does it do it? Broadcast to the open internet? And wait for a reply? On what?
They used to call a card approval company on a pos device. Still happens, but now, how do you implement this packet transaction, open broadcast? Easiest way, email. Easiest return? Again... And its not just a Ms thing, they all do it. They don't have direct lines anymore. Or secure lines, or why would that attack work?

The real WTF

[Kinthelt]

The real WTF in this scenario is why does the POS software have access to credit card numbers? A one-way transaction will have all credit card information go directly through the PINpad, without ever being exposed to the controlling PC.

Re:The real WTF

The new drivers never put the magstripe data in RAM.

Re:The real WTF

[mjwx]

The real WTF in this scenario is why does the POS software have access to credit card numbers? A one-way transaction will have all credit card information go directly through the PINpad, without ever being exposed to the controlling PC.

Even then, you've still got weak links in the chain.

Because banks charge per terminal, a lot of smaller chains/franchises use a generic terminals some software sitting on a PC out back so they can have multiple physical terminals presented to the customer but only one software terminal presented to the bank.

PC EFTPOS is one of the more popular ones I've seen in Australia and it is not unusual to see it sitting on the same PC that staff use to check their personal mail and cat videos.

Having installed and serviced POS terminal I've been convinced that cash is orders of magnitude safer despite the risks of losing it or getting mugged (TBH, if you're that clumsy that you'll lose cash, you'll lose your card just as easily).

Ive worked on tons of these for small buisness....

I live in a popular tourist destination and have worked on many of these, most all of them here are running on windows server 2000, 2003 or xp, most un-patched and running on a full fledged OS, were employes log in there hours and have access (Allowed or not) internet explorer during down time. Many of these are even running on various OS torrent'ed from TPB. I have long been concerned about these systems as it would be trivial to compromise these machines.

The only reason its not total disaster is the systems (Digital dining mostly and some older POS systems for a more stock oriented approach, like package stores etc) general uses mapped drives with encryption to store the batches of Card numbers, they are sent out over the wire nightly in an encrypted "batch" at midnight ever night. Each batch typically containing thousands of card numbers and is indeed a temping target for carders.

Over the years Ive seen regulations begin to help things as company seem to enforce some arbitrary upgrades like semi modern OS's but that seemed to fizzle out idk perhaps due to lack of enforcement.

Re: Employees think the POS is their personal comp

What a great idea, send confidential information over the internet in a non-encrypted by default protocol. Sadly I used to replace these sorts of systems ALL THE TIME. The really sad thing, the software almost always had the ability to sign requests with a key, but barely even a fraction of a percent of the systems I dealt with ever used them.

duh

You need a working e-mail address to log into Hearthstone. What else am I going to do at work if I'm forced to stand at a cash register all day?

Re:Employees think the POS is their personal compu

[cant_get_a_good_nick]

On Another Site, someone asked (relatively recently) how to run a web browser on windows 3.1... on industrial computer controlling a bandsaw. At this point, Win 3.1 and any IE that could run on it would be not updateable. So let's allow our bandsaw controller to be pwn3d.

People do stupid things.