Attackers Use Email Spam To Infect Point-of-Sale Terminals

← Back to Stories (view on slashdot.org)

Attackers Use Email Spam To Infect Point-of-Sale Terminals

Posted by samzenpus on Monday May 25, 2015 @07:01PM from the protect-ya-neck dept.

jfruh writes: Point-of-sale software has meant that in many cases where once you'd have seen a cash register, you now see a general-purpose PC running point-of-sale (PoS) software. Unfortunately, those PCs have all the usual vulnerabilities, and when you run software on it that processes credit card payments, they become a tempting target for hackers. One of the latest attacks on PoS software comes in the form of malicious Word macros downloaded from spam emails.

4 of 85 comments (clear)

Min score:

Reason:

Sort:

E-mail client? by Todd+Knarr · 2015-05-25 19:16 · Score: 5, Insightful

So, WTF is an e-mail client doing on a POS terminal in the first place? It doesn't need one, it shouldn't have one. Ditto a Web browser. You don't have to worry about vulnerabilities in software that isn't present on the machine in the first place. There are of course other things to be looked at, but those are a good starting point.
1. Re:E-mail client? by sydbarrett74 · 2015-05-25 19:32 · Score: 4, Insightful
  
  Quoted for truth.
  The POS terminal should be a single-purpose device, with nothing but the POS software suite running on it and that's it. If employees want to check email or play LatestGreatestGame, they can do it on their own fucking devices. Or maybe, just maybe, they can clean or do other work around the business. There's always some work that can be done at a retail establishment. 'If you have time to lean, you have time to clean.'
  
  --
  'He who has to break a thing to find out what it is, has left the path of wisdom.' -- Gandalf to Saruman
2. Re:E-mail client? by PTBarnum · 2015-05-25 19:35 · Score: 4, Insightful
  
  In a small business, the owner/manager may well be sitting at the POS terminal to help customers, but also doing other business tasks in between. It would be great if they had different computers for this, but there may not be space/budget for that.
  In a larger system, there might be general purpose computers sitting on the same network as the POS system without proper firewalls between them. So the malware hits a general purpose system first, then uses that platform to attack the POS.
3. Re:E-mail client? by Todd+Knarr · 2015-05-25 19:51 · Score: 4, Insightful
  
  For the first, tough. If they can't properly handle other people's financial information like credit-card numbers and PINs, they shouldn't be handling that information. Just like with a restaurant that claims they can't afford to maintain proper sanitary conditions to prepare food for customers.
  As for the second, in larger organizations there's never any reason to have a general-purpose computer on the POS network that can access or be accessed from the outside world. I know, I helped build and maintain a national network of POS systems that maintained that separation. If corporate IT and the software vendor can't make it work, I'll be happy to quote an hourly rate for the work.