Slashdot Mirror

← Back to Stories (view on slashdot.org)

Attackers Use Email Spam To Infect Point-of-Sale Terminals

Posted by samzenpus on from the protect-ya-neck dept.

jfruh writes: Point-of-sale software has meant that in many cases where once you'd have seen a cash register, you now see a general-purpose PC running point-of-sale (PoS) software. Unfortunately, those PCs have all the usual vulnerabilities, and when you run software on it that processes credit card payments, they become a tempting target for hackers. One of the latest attacks on PoS software comes in the form of malicious Word macros downloaded from spam emails.

19 of 85 comments (clear)

  1. E-mail client? by Todd+Knarr · · Score: 5, Insightful

    So, WTF is an e-mail client doing on a POS terminal in the first place? It doesn't need one, it shouldn't have one. Ditto a Web browser. You don't have to worry about vulnerabilities in software that isn't present on the machine in the first place. There are of course other things to be looked at, but those are a good starting point.

    1. Re:E-mail client? by sydbarrett74 · · Score: 4, Insightful

      Quoted for truth.

      The POS terminal should be a single-purpose device, with nothing but the POS software suite running on it and that's it. If employees want to check email or play LatestGreatestGame, they can do it on their own fucking devices. Or maybe, just maybe, they can clean or do other work around the business. There's always some work that can be done at a retail establishment. 'If you have time to lean, you have time to clean.'

      --
      'He who has to break a thing to find out what it is, has left the path of wisdom.' -- Gandalf to Saruman
    2. Re:E-mail client? by PTBarnum · · Score: 4, Insightful

      In a small business, the owner/manager may well be sitting at the POS terminal to help customers, but also doing other business tasks in between. It would be great if they had different computers for this, but there may not be space/budget for that.

      In a larger system, there might be general purpose computers sitting on the same network as the POS system without proper firewalls between them. So the malware hits a general purpose system first, then uses that platform to attack the POS.

    3. Re:E-mail client? by pspahn · · Score: 2

      Pretty much this. Also keep in mind that many businesses are still running old software that might need a terminal/emulator to run on modern hardware.

      --
      Someone flopped a steamer in the gene pool.
    4. Re:E-mail client? by adolf · · Score: 4, Interesting

      I used to look after the POS machines for small chain of retail establishments.

      The reason that an e-mail client was on the POS machines was because the boss was cheap, and having separate machines for internal business and external transactions seemed expensive to him, even when business halts because some bored lackey decided that they needed the latest "OMG PONIES!!" screensaver on the fucking cash register.

      The reason that web browsers were on the POS machines was because Verizon are a bunch of fucks who couldn't be bothered to write a local client, but were perfectly content to always have a dependency on (old) Java and (old) Internet Explorer under (old) Windows.

      The reason that the the POS machines ran as Administrator was because my counterparts who were also charged with looking after said machines couldn't be bothered to get anything to work with regular user accounts, and would actively sabotage my efforts to improve security.

      The reasons that I no longer concern myself with the retail operations of that company are detailed above.

      --
      Kid-proof tablet..
    5. Re:E-mail client? by Todd+Knarr · · Score: 4, Insightful

      For the first, tough. If they can't properly handle other people's financial information like credit-card numbers and PINs, they shouldn't be handling that information. Just like with a restaurant that claims they can't afford to maintain proper sanitary conditions to prepare food for customers.

      As for the second, in larger organizations there's never any reason to have a general-purpose computer on the POS network that can access or be accessed from the outside world. I know, I helped build and maintain a national network of POS systems that maintained that separation. If corporate IT and the software vendor can't make it work, I'll be happy to quote an hourly rate for the work.

    6. Re:E-mail client? by Whiteox · · Score: 4, Informative

      Email is there in Win XP and later. These POS terminals are full computers with a cash drawer underneath, merchant banking device and card swipe periperhals. They are networked to a local printer and mainly controlled by IT through remote desktop. They are typically in smaller shops with 2 or more terminals. They do stock control, daily cash calculations etc as they replace traditional Z type cash registers.
      Emails are sent by head office to all managers. Intranet and internet are available as well. So yes, they can be infected with spam emails.

      --
      Don't be apathetic. Procrastinate!
    7. Re:E-mail client? by swb · · Score: 2

      I see this at two clients with POS systems. They don't handle any cash or credit card transactions, everything is billed to internal accounts, but they still want to use some of the terminals for productivity software because the POS systems are underutilized as POS systems, they lack the space for additional productivity PCs and don't want to spend money on them anyway.

      I opposed it on principle in terms of providing advice, but as a matter of practicality since they're not handling real money or credit card information the risk is a lot less.

  2. Re:Is he on TARGET? by Guy+Harris · · Score: 2

    Or has he missed? If you know what I mean. Do you know mean? Know? Know what I mean?

    No, I don't.

  3. retail management by roman_mir · · Score: 3, Informative

    I supply various systems, including retail chain management built with security by design. It is hard to achieve proper security in stores and offices, the users are so far away from being computer savvy it hurts. We move them off windows in many cases to Linux solutions. In any case POS should not be connected to the Internet. We set up linux machines as router / firewall and as a store management server. It talks to everything on the inside, it provides connectivity for the bank terminals, the cameras and another administrative computer. POS gets its instructiin s through it and offloads sales data to it and then everything is synchronized with the central system by it.
    The amount of crazy that happens in stores is staggering, almost inconceivable. We have to prevent meltdown with minimal resources and as little pain as possible but it is not easy when a retailer has a few stores and maybe one admin. Remote administration is vital, proper backup solutions are vital, the whole thine can degrade in no time if none is watching.

    --
    You can't handle the truth.
  4. Re:Windows XP, not Linux by jandersen · · Score: 2

    Most POS systems that I have encountered run WinXP

    From the article:

    One of the latest attacks on PoS software comes in the form of malicious Word macros downloaded from spam emails.

    It looks like you might be right.

  5. Re:Windows XP, not Linux by rudy_wayne · · Score: 2

    This raises a couple of obvious questions: Why does a cash register have an e-mail client installed and capable of receiving e-mail? Why does a cash register have Word installed?

    Once again, stupidity and incompetence trumps everything.

  6. Re:Windows XP, not Linux by ihtoit · · Score: 3, Interesting

    because word macros are still fundamentally tied to the way the kernel works with metafiles (ie the first thing it does with any binary object is try to execute it), and Windows xp comes wth an email client installed by default (Outlook Express) which for some unknown reason and unlike earlier versions of Windows (any from the 9x stable spring to mind) you can't deselect it from optional component install.

    --
    Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
  7. Re:Windows XP, not Linux by Mr+D+from+63 · · Score: 2

    An email client may be installed by default, but it is not a threat unless it is set up with an account, and the account is used.

  8. Re:Employees think the POS is their personal compu by Antique+Geekmeister · · Score: 4, Informative

    > This is what happens when you have employees who think they have a god given right to surf the internet

    Or when you have an employer mandate to check employee email about store policies, schedules, delivery dates, and inventory, verifying store hours for other branches, verifying alternative vendor prices for price matching, checking the weather for a customer buying exterior paint, looking up a product review or product specifications with a customer, or any of a dozen other uses. It is _embarrassing_ for a modern vendor to be unable to work with a customer checking the same information that the customer can obtain at home on their home computer, or to be unable to print out the specifications for a product that the vendor sells.

    Such terminals have become quite common and are much more necessary now that customers expect one store to be able to verify inventory or reserve an item before proceeding to another physical store. If they cannot do this, they will lose the sale to an online vendor.

  9. Re:WTF by aaarrrgggh · · Score: 2

    A lot of different things can constitute a POS terminal today. For an iPad, you have Square, Shopify, and any number of other comparable packages. Pretty hard to eliminate an email client.

    At one end of the spectrum, many of these types of systems use cellular service for their internet connection; pretty hard to lock them down at the network level as well.

    The old model for these types of systems was to provide dedicated "appliances" to solve the problem. Costs were absurd, so merchants worked hard to find alternatives. It has taken about 18 years to get to this point. (Second linux project I was interested in was a POS system, back in 1997...) Not every shop has an IT guy on staff... and not all IT guys are experts at security, networking, or much more than rebooting the system when it has a problem.

  10. Re:A word macro?? by Viol8 · · Score: 2

    The sort of people who set up these compromised systems probably never knew them in the first place.

  11. The real WTF by Kinthelt · · Score: 2

    The real WTF in this scenario is why does the POS software have access to credit card numbers? A one-way transaction will have all credit card information go directly through the PINpad, without ever being exposed to the controlling PC.

    --

    "Evil will always triumph over good, because good is dumb." - Dark Helmet (Spaceballs)

  12. Re:Windows XP, not Linux by Anonymous Coward · · Score: 2, Informative

    It used to be that a register only needed to do basic calculations, then credit card transactions. Now, they are a lot more complicated, especially with EMV, Apple Pay, SmartCard, CurrenC, Google Wallet, PayPal, NFC, and all the other pay standards out there. Since these standards rarely stay static, where in the past an embedded QNX appliance could do the job well, it requires pretty much a Windows PC that can be easily updated via a MSI files.

    Since a business requires Apple Pay or shut their doors, having to move to a POS machine that is "smart" is a part of life.