Attackers Use Email Spam To Infect Point-of-Sale Terminals

jfruh writes: Point-of-sale software has meant that in many cases where once you'd have seen a cash register, you now see a general-purpose PC running point-of-sale (PoS) software. Unfortunately, those PCs have all the usual vulnerabilities, and when you run software on it that processes credit card payments, they become a tempting target for hackers. One of the latest attacks on PoS software comes in the form of malicious Word macros downloaded from spam emails.

retail management

[roman_mir]

I supply various systems, including retail chain management built with security by design. It is hard to achieve proper security in stores and offices, the users are so far away from being computer savvy it hurts. We move them off windows in many cases to Linux solutions. In any case POS should not be connected to the Internet. We set up linux machines as router / firewall and as a store management server. It talks to everything on the inside, it provides connectivity for the bank terminals, the cameras and another administrative computer. POS gets its instructiin s through it and offloads sales data to it and then everything is synchronized with the central system by it.
The amount of crazy that happens in stores is staggering, almost inconceivable. We have to prevent meltdown with minimal resources and as little pain as possible but it is not easy when a retailer has a few stores and maybe one admin. Remote administration is vital, proper backup solutions are vital, the whole thine can degrade in no time if none is watching.

Re:E-mail client?

[Whiteox]

Email is there in Win XP and later. These POS terminals are full computers with a cash drawer underneath, merchant banking device and card swipe periperhals. They are networked to a local printer and mainly controlled by IT through remote desktop. They are typically in smaller shops with 2 or more terminals. They do stock control, daily cash calculations etc as they replace traditional Z type cash registers.
Emails are sent by head office to all managers. Intranet and internet are available as well. So yes, they can be infected with spam emails.

Re:Employees think the POS is their personal compu

[Antique+Geekmeister]

> This is what happens when you have employees who think they have a god given right to surf the internet

Or when you have an employer mandate to check employee email about store policies, schedules, delivery dates, and inventory, verifying store hours for other branches, verifying alternative vendor prices for price matching, checking the weather for a customer buying exterior paint, looking up a product review or product specifications with a customer, or any of a dozen other uses. It is _embarrassing_ for a modern vendor to be unable to work with a customer checking the same information that the customer can obtain at home on their home computer, or to be unable to print out the specifications for a product that the vendor sells.

Such terminals have become quite common and are much more necessary now that customers expect one store to be able to verify inventory or reserve an item before proceeding to another physical store. If they cannot do this, they will lose the sale to an online vendor.

Re:Windows XP, not Linux

It used to be that a register only needed to do basic calculations, then credit card transactions. Now, they are a lot more complicated, especially with EMV, Apple Pay, SmartCard, CurrenC, Google Wallet, PayPal, NFC, and all the other pay standards out there. Since these standards rarely stay static, where in the past an embedded QNX appliance could do the job well, it requires pretty much a Windows PC that can be easily updated via a MSI files.

Since a business requires Apple Pay or shut their doors, having to move to a POS machine that is "smart" is a part of life.