Point of Sale (POS) systems are a critical part of the restaurant industry infrastructure. They are used significantly on a daily basis, transporting the financial life blood of the establishments that implement them. Given the important business function these systems do, it is critical to have strong POS cybersecurity practices in place for these systems to ensure they are secure from cyberattack and keep your customers sensitive data safe. In order to maintain a strong security posture you must also understand the processes bad actors use to attack your POS system. We take a look at some common methods attackers may utilize and provide our top ten tips on shoring up your POS cybersecurity so you can keep your sensitive data secure.
The Blueprint of a POS Cyberattack
You may wonder – how easily can POS systems be attacked? POS systems are considered soft targets to attackers. While there may be security measures in place at the endpoint (ex. card readers) and at financial institutions, vulnerabilities often remain in the connection between POS workstations and organizational servers. A skilled attacker will use the line of communication between the two to gain access to the area within a network they are targeting. When they target a POS system, it typically takes place in three phases: infiltration, lateral movement, and exfiltration. Let’s take a deeper look in those these attacks occur:
Phase One: Infiltration
Often, a cyber attacker doesn’t directly target the POS system. They will instead look to get into to the organizations network and then leverage different tactics to gain access to their sensitive data hosted on the POS system. Techniques may include exploit kits via browser attacks, stolen credentials, or compromised 3rd party applications. However, most commonly, successful attacks are carried out via phishing campaigns containing a malicious attachment or link to a website that installs a backdoor onto the target’s device once clicked by the employee.
Phase Two: Lateral Movement
Once an attacker has gained access to the company network, they likely won’t have immediate access to the POS system. To reach their goal, a cyberattack on your POS, they will utilize a variety of tools to map your network and locate the systems that contain sensitive data. Attackers will search for vulnerabilities in these systems or try to gain access by obtaining user credentials. Malware is then placed within the accessed POS system and remains there, quietly gathering as much of your customer data as possible. Since attackers are looking to maximize the amount of valuable data they can capture, the infection implements stealth and persistence tactics to remain on the system and avoid detection by the most basic security measures.
Phase Three: Exfiltration
Once there is a successful cyberattack on your POS system, attackers will go to work collecting sensitive information. Data successfully scraped will then be sent to a friendly server, one that your POS system communicates with regularly, to avoid detection. The data will be stored there until the attacker is ready to transfer the data to an external system where they can freely access customer data including credit card numbers and other personal information your POS system collects. And not long after, that data will be available on the dark web…
Why POS Cyberattacks are Common
Unfortunately, in many instances, POS systems are vulnerable to attacks because they are not properly maintained or setup with security in mind. This might be due to lack of staff, or perhaps organizations don’t know how commonly POS are the target for cyberattacks; this often leads to platforms running on legacy or unpatched operating systems (OS) or using standard antivirus software that is minimally effective against bad actors. It’s easy to fall into the false sense of security that the system is running, and you can’t “see” any issues – and that’s what many cybercriminals are hoping for.
In today’s dynamic threat landscape of unknowns and zero-days, traditional antivirus alone is rarely considered enough POS cybersecurity. According to a Verizon Data Breach Report, 90% of cyberattacks on the hospitalities and restaurant industries involve POS, which is why it’s critical that organizations using POS systems take extra steps to ensure their systems are secure.
Here are our ten tips on improving cybersecurity for POS systems:
Perform Regular Tests
Run vulnerability scans and testing to identify weakness in your systems. If vulnerabilities are found, be sure to implement procedures and protections to address them as it’s critical to close these back doors quickly.
Update and Patch Systems
Keeping your network, systems, and applications up-to-date will ensure that you have proper protections from known threats and vulnerabilities. The longer you wait to patch or update, the more opportunity an attacker has to successfully exploit that vulnerability on your system. Prioritize vulnerabilities so you’re maximizing your efforts to keep your networks secure.
A simple, yet often missed security step, is whitelisting approved sites. By whitelisting applications on your POS, you are ensuring that only those required to run your system safely and effectively are active. Those that are not essential to the functionality of your POS should not be whitelisted (ex. web browsers and email). This prevents attackers from exploiting these vulnerable applications which could potentially give them access to your system.
Enable Multi-Factor Authentication (MFA)
We all know it’s best practice to use complex, phrase-based passwords. Adding another form of authentication to the user authentication process will help prevent bad actors from fully gaining access via illicitly obtained user credentials.
Require End-to-End Encryption
POS systems typically include encryption for any data it is storing; however, the data will still be vulnerable while in transit. Using a payment gateway that leverages end-to-end encryption will ensure your customers data is encrypted from transaction to the gateway, closing that gap for any cyberattackers looking to grab your data in transit.
Tokenization allows you to replace credit card data from the POS terminal with a token or reference number. That means that, in the event of a POS cyberattack, the only data the cybercriminals get are the token/reference numbers – and those have no value outside of your system.
Ensure System Visibility
It is critical to always maintain high-level visibility of your entire POS system, including all terminals and network applications. This will allow you identify early threats or security policy violations by tracking activity and locations of perimeter devices and running network/system applications.
Reach and Maintain Top to Bottom PCI Compliance
The Payment Card Industry Data Security Standard (PCI DSS) has a set of requirements governing the safe handling of all credit card processing and information by merchants. Use these 12 requirements for PCI DSS compliance to guide your security practices:
- Use and maintenance of firewalls
- Configure passwords and settings (do not use vendor supplied)
- Protect stored cardholder data
- Encrypt transmission of cardholder data
- Use and regularly update anti-virus software
- Update and patch systems
- Restrict access to cardholder data
- Unique IDs to each individual will computer access
- Restrict physical access to cardholder data
- Implement log management
- Perform vulnerability scans and penetration tests
- Documentation and risk assessments
In many cases, the initial infiltration by a bad actor is through an action or inaction of a member of the staff with access to your network. A large portion of these are not malicious acts by the employee (ex. an insider threat) but due to a lack of understanding security best practices and possible shortcomings in training. Available funding to bolster cybersecurity is a challenge for some organization; however, it does not mean that you are left stripped with little defenses. Your first line of defense are your employees. Proper and ongoing training of your staff can help them identify suspicious activity such as a phishing campaign and stop an attack before it starts. Training should include using secure passwords, how to identify social engineering attacks, and other security best practices specific to your organization and its handling of sensitive customer data.
Find a Partner and Robust Cybersecurity Solution
The cost and staff required to maintain a strong security posture is a challenge for many restaurants. Even when cost is not an issue, having enough security staff on hand to combat threats around the clock is not always possible. These issues can be mitigated by partnering with a security provider that can provide customized solutions to meet your individual security needs. Look for providers that can manage your security systems, monitor for threats, and provide immediate action should an event be identified. They should also be able to provide insights into best practices for your industry as well as recommendations for supplemental applications and systems.
Proficio as a Partner
Proficio offers a range of security services for a scalable and efficient way to address your security gaps in your POS cybersecurity. We can help you meet or exceed the PCI standard requirements and provide a range of services, including: Managed Firewall Service, Active Defense for automated response, and Managed Endpoint Detection and Response.
Contact Proficio to learn how we can help with your POS cybersecurity.