Maybe it is time that companies quit using Microsoft as the OS on POS systems. Given that the majority of the POS systems use it, it is a haven for malware; write once and deploy on a wide scale. Use different OS's and then it wouldn't be one malware to rule them all. The POS companies find using Windows easier and cheaper as do the companies utilizing them. I wonder what Target, Home Depot, etc. think about that now? The other issue is the overall lax security to the POS systems. Fix both and it would be much harder to steal the card details.
Pesky POS poison won't Backoff
Infections from the Backoff point-of-sale malware are still rising in America, according to security bods from Damballa. The company reckons it spotted a 57 per cent rise in Backoff detections in August and September 2014, and a 27 per cent rise in September alone. In August, the malware had already hit 1,000 US businesses, …
COMMENTS
-
-
Monday 27th October 2014 01:53 GMT Mark 85
Good points, but let's face it, in this day and age it's all about the bottom line and risk management.
1) Do these bits of nastiness cause the company to lose money or spend money? Only if they get hit. Months later, customers forget and resume doing what they've always done.
2) Are they preventable? Mostly but it costs money. Risk management may say: don't spend the money until we get hit. If you spend the money in prevention, you may still get hit and have to spend more to remove it.
3) Can anyone, any more be that stupid? Yes, when blinded by the bottom line... see 1) & 2).
They should be using a secure OS and not have their POS devices open to the 'Net. They should be patched, use secure passwords, etc., etc., etc. But they don't. And nor will they until some entity forces them into it where the fines are larger than the cost to fix the problem.
-
Monday 27th October 2014 06:15 GMT Anonymous Coward
@AC
"Given that the majority of the POS systems use it, it is a haven for malware; write once and deploy on a wide scale."
With a single OS you can also write the POS software once and deploy it wide scale. Does your company have multiple OS platforms just to deter malware? How much does that cost?
The problem here isn't the OS but poor security practices. Apparently the affected POS systems were connected directly to internet without firewalls, and the admin passwords were poorly selected. Brute force isn't restricted to MS operating systems you know.
Where I work (hence the AC) all the thousands of POS systems are in private networks with network access limited to company servers and a handful of mobile payment/CC processing IP addresses and the computers are locked down. Of course the HDD can be taken out and tampered with but the damage would still be restricted to a single POS terminal.
"Use different OS's and then it wouldn't be one malware to rule them all."
Well then, why do you propose 'it is time that companies quit using Microsoft as the OS on POS systems' if your aim is to diversify? Because the only other practical choice is Linux (due to uncommon hardware and mfgr support) and there would again be a "one malware to rule them all."
-
Monday 27th October 2014 13:17 GMT Tom 13
Re: Microsoft as the OS on POS systems.
It's not the OS per se, but the lack of configuration, slowness to update, and I'd say most importantly of all, the even crappier problems of the POS systems. A friend of mine does the POS support for a smallish regional chain of fast food joints. I imagine they've updated to Windows 7 by now and they run the updates and AV software. I think he handles about 100 retail locations. From the descriptions of the system, in each store you have the primary Win PC which handles 3-5 POS systems. Each of the POS terminals requires a specific name. So at each store you have for example, terminal1, terminal2, etc. So once you've breached the configuration for 1 store, you have all the rest of them. Combine that with store managers who can't remember their passwords so you have to keep an account on their system to fix it, and it's a bitch to remember 100 different passwords for each of the stores and it's a recipe for disaster.
-
-
Monday 27th October 2014 22:01 GMT Anonymous Coward
Well, the good news is that all these POS data breaches are driving chip-and-PIN...
Looks like the card companies will actually roll out chip-and-PIN after the various insecure POS debacles. Supposedly, the card companies are going to replace magnetic stripe cards with the good (well, better) stuff starting next year, as the old cards expire or are lost.