While many business owners purchase point of sale machines with the belief that they are secure, this is often far from the truth. POS, or Point of Sale, hacking is the process of stealing data such as credit card information using remote attacks and malware. More importantly, hundreds of thousands of point of sale hacks happen every year, and some affect thousands of businesses at once. For example, in August of 2016, a point-of-sale hack breached over 330,000 POS systems manufactured by Micros.
While Point of Sale hacking is not well-known as some other types of exploits, it is on the rise, with some data sources showing a 27.3% rise in attacks between 2015 and 2016.
A Point of Sale hack typically results in lost credit card information and identity theft for your customers, and you may be responsible. Hacks will also damage your business’ reputation, because you are legally obliged to tell customers when their data has been stolen.
If you operate point of sale machines, it is crucial that you understand your risks and that you know how to protect your business from a hack.
How Are Point of Sale Machines Hacked?
Point of Sale machines are vulnerable to several different types of attacks. Because most run on modified versions of a Windows operating system, they are vulnerable to many of the same types of attacks as a regular computer.
- Brute Force Attacks – Brute Force POS hacks involve using software or scripts to “guess” your password using computer generated strings of letters and numbers. These attacks can take days, but are often successful with short and commonly used passwords.
- Malware – Most hackers can easily create malware to run on a POS machine to steal data, change information, or otherwise damage the machine.
- Network Attacks – If your POS system is connected to your back-end servers, it is vulnerable to the same network attacks that can affect other computers on your system.
- Memory Scraping Malware – Memory Scraping Malware, or memory parser malware, is a type of malware designed to extract data from credit cards and send it to the hacker’s location. This type of software can be extremely damaging because hackers can install it in hidden apps to run behind the POS software on Windows and Linux based machines, without being detected.
Tips to Protect Yourself from POS Attacks
Improve Logins – Weak passwords and login credentials are the most exploited weakness on POS machines. In one study, the top five passwords collected from POS machines were:
- X (11,865 passwords collected)
- Zz (10,591 passwords collected)
- St@rt123 (8014 passwords collected)
- 1 (5679 passwords collected)
- P@ssw0rd (5,630 passwords collected)
In short, most people need much stronger passwords. Try to use a minimum of a 10-digit password, use a non-standard login (no username: Admin), and write your passwords down offline to secure them.
Use an Antivirus – Your POS machine is a computer, and like any other, it should have security software installed. Endpoint protection will scan your software to remove problematic files and apps, and will alert you when malware is found.
Keep Software Up to Date – Most POS software must be updated regularly to install the latest security protocols. If you don’t update, you are putting your Point of Sale machine at risk for a hack.
Restrict Internet Access – Have your IT staff restrict internet access on your Point of Sale device. If it can access anything but the websites it absolutely needs to to function, it is at risk of downloading malware from those sites. By restricting inbound and outbound internet connections you can prevent some malware from reaching your system.
Secure Remote Access – Remote access can be very convenient, but you do have to be careful. Make sure that you’re using multi-factor authentication or that you only allow remote access from specific devices or workstations.
Lock Your System – Make sure that any device with POS software installed is locked down, password protected, and that it can be wiped from a remote location. Creating an end-of-day accountability procedure to ensure that all POS devices are accounted for will also help to prevent physical theft.
Stay PCI Compliant – If you have a POS machine, you have likely been through a PCI DSS (Payment Card Industry Data Security Standard) assessment. Make sure that your security standards remain compliant at all times. If you want a new assessment, choose a qualified certified assessor to do the work.
Use Encryption – It is crucial that you use software to encrypt all the data on your Point of Sale machine so that it is protected in case of a data breach.
If you can’t hire a dedicated security expert to manage your Point of Sale, it is important that you understand your risks so that you can dedicate the right portion of your cybersecurity budget towards preventing hacks. A Threat Sketch risk analysis will help you to understand your business risks, so that you can take the right steps to prevent hacks.
About the author: Brandy Cross is a freelance writer specializing in technology and marketing solutions for SMBs, with experience writing for everyone from startups to Fortune 500s.