How to conduct a security assessment of POS systems

No technology is devoid of security flaws, and mobile POS (mPOS) systems are no exception to this rule. Trend Micro's recent report on 2017 security threats predicted hackers will start targeting POS solutions to conduct ransomware attacks. Not to mention, POS systems are the primary gateway into merchant payment processes. 

In response to rising threats, many hardware manufacturers equip their devices with new security functions designed to reduce threats to merchant operations. However, the device-level security isn't enough to prevent or neutralize cyberattacks. 

For POS resellers, many of which offer value-added services to merchants, this presents a unique opportunity. In addition to selling hardware that supports pay-at-the-table, mobile payments and other services today's consumers demand, resellers can conduct security assessments of merchant POS operations, analyzing the specific risks mPOS systems present to operations. How should resellers conduct security analyses? 

Identifying points of attack

Security researchers often advise enterprise CIOs to think like hackers. This recommendation leads enterprises to conduct penetration testing, colloquially known as "pen testing." This tactic involves using hacking methods to find vulnerabilities within a particular system.

The SANS Institute, a non-profit research organization focused on cybersecurity, outlined how to conduct a penetration test:

  1. Prepare and plan: The party leading the pen test (in this case, the POS reseller) must assemble a team of experienced security professionals and define a clear objective for the endeavor. With respect to assessing mPOS security, the goal should aim to determine how the mPOS technology and associated payment processes expose merchants to risk. 
  2. Gather information: The pen testers must conduct thorough research on the mPOS devices they're trying to "hack." The device documentation can be of extensive use here.
  3. Detect vulnerabilities: The information pen testers obtained in the previous step must analyze it to reveal any possible flaws. 
  4. Attempt penetration: After unveiling vulnerabilities, the pen testers must make an attempt to infiltrate the mPOS systems. Project leaders should note the time it takes to successfully penetrate the devices, as well as the methods used. 
  5. Analyze results: The POS reseller should conduct a report for the merchant, notifying them which vulnerabilities exist and how the organization can either eliminate or reduce the severity of those flaws.

Pen tests are a generally reliable manner of assessing the threats mPOS and other systems pose to merchant operations. However, resellers should not only focus on the technology itself but also determine how interaction with POS installations opens up merchants to risk of attack. 

Which tactics do hackers use? 

Pen tests will reveal many tactics hackers could use to exploit mPOS devices, but the hackers conducting the assessment may not cover everything. In addition, some hardware may introduce protocols that possess a certain set of vulnerabilities, while other systems may not adhere to those protocols. So some devices may introduce certain risks that others do not. 

For example, Security Research Labs, a hacking research initiative based in Berlin, discovered how cybercriminals can exploit two card reader communications protocols that are outdated, but still in use. For example, the ZVT protocol, which is active in Germany, enables fraudsters to read payment card details over a local network and even access PINs remotely. 

Here's how a hacker could exploit the ZVT protocol. The procedure protects PINs with a cryptographic signature, but the key is sometimes stored in Hardware Security Modules. HSMs are usually exposed to timing attacks capable of revealing valid signatures.

Security Research Labs also explained issues with the Poseidon protocol, which is implemented on the payment processor end, contains significant authentication issue. The process uses a secret key to authenticate POS terminals. However, more often than not, the terminals themselves use the same authentication key. According to the researchers, a hacker could exploit this process to change a POS terminal's identification number and use that position to view a merchant's account, exposing the business's entire operation. 

The protocols described above are just two examples of potential exploits. The point is, pen testers need to keep an open mind when assessing the risks associated with in-store payments.

Must-have security features

First and foremost, every POS provider should strongly consider the implementation of a semi-integrated payments solution. This approach maintains complete separation of cardholder data from the POS app, simplifying installation and removing the Point of Sale application (not the merchant) from the scope of PA-DSS (Payment Application Data Security Standard).

In addition to a semi-integrated payments approach, Point of Sale providers must provide a few key security functions that reduce the threat of hackers successfully infiltrating merchant operations. The first is EMV compatibility, which deters hackers from duplicating payment card details. 

The second is point-to-point encryption. This technology uses algorithms that mask payment data from the POS device all the way to the processing server, reducing the risk of hackers intercepting communications between the merchant location and the payment processor. 

Finally, tokenization goes beyond data obfuscation. Some mPOS devices utilize this technique to generate "tokens" that represent credit card data. In other words, the payment data doesn't even factor into the protocol. Tokenization and other security techniques can be a strong bulwark against hackers' efforts. 

 

Want to learn more about securing in-store payments?


Related Articles: