Malware targeting Point of Sale systems is on the rise: SSO Alert Priority High
19 December 2013
There has been an increase in reports of malware targeting Point of Sale (PoS) systems, including against small and medium businesses.
All business owners with PoS systems are advised to ensure their PoS computers are secure and all software is up to date, including antivirus products. Where possible, these computers should not be used for browsing the internet, and should only be connected to required services.
PoS malware aims to steal credit card data as it is being entered into the system as part of a sale, but the malware can also target the business itself by introducing falsified data or enabling access to other business critical systems on the same network.
Recent spikes in activity have been noted from the “Dexter” and “Project Hook” variants of malware which affect PoS systems.
Malware researchers have identified a variety of infections around the world, including in Australia, which feature a large number of affected PoS systems, largely due to insufficient protection.
PoS systems are often found to be poorly protected compared to other systems in some businesses, despite the fact that they can be just as critical to business operations and just as vulnerable to attacks.
Protecting Point of Sale systems
Early PoS systems often comprised purpose built computers, meaning they were separate and more difficult to attack. Newer systems are often built as part of normal computer systems, making them easier to write malware for and attack. The same malware that can target other computers can also target PoS systems.
Fortunately, it also means that the same protection methods and processes can be used to protect your PoS systems.
The most important step is to ensure your computer software and antivirus system are up to date. Stay Smart Online recommends automating your updates so these can be applied as soon as they are released.
Because PoS systems handle high volumes of financial data, it is also advisable to limit the usage of these computers to these PoS tasks.
Activities such as browsing the internet using business critical computers should be avoided as this exposes them to further opportunities for attack or encountering malware.
We also advise that the installation of non-business programs should be limited, and that users should not have administrator rights to the system. It is harder for malware to infect your computers if users do not have administrator privileges.
Lastly, you should also consider whether your PoS systems need to be connected to the internet at all. Some PoS systems do require network access to be able to save information to a server or to send reports via the internet, however, if this kind of functionality is not needed, it may be preferable (and far more secure) to disconnect it from the internet. Network configurations will vary between businesses, so we suggest speaking to your technical expert about this option.
If you have highly customised PoS systems, we recommend speaking with your vendor to ensure that adequate security is in place.
The information provided here is of a general nature. Everyone's circumstances are different. If you require specific advice you should contact your local technical support provider.
Thank you to those subscribers who have provided feedback to our Alerts and Newsletters. We are very interested in your feedback and where possible take on board your suggestions or requests.
This information has been prepared by Enex TestLab for the Department of Communications ('the Department'). It was accurate and up to date at the time of publishing.
This information is general information only and is intended for use by private individuals and small to medium sized businesses. If you are concerned about a specific cyber security issue you should seek professional advice.
The Commonwealth, Enex TestLab, and all other persons associated with this advisory accept no liability for any damage, loss or expense incurred as a result of the provision of this information, whether by way of negligence or otherwise.
Nothing in this information (including the listing of a person or organisation or links to other web sites) should be taken as an endorsement of a particular product or service.
Please note that third party views or recommendations included in this information do not reflect the views of the Commonwealth, or indicate its commitment to a particular course of action. The Commonwealth also cannot verify the accuracy of any third party material included in this information.