Pesky POS poison won't Backoff

Good points, but let's face it, in this day and age it's all about the bottom line and risk management.

1) Do these bits of nastiness cause the company to lose money or spend money? Only if they get hit. Months later, customers forget and resume doing what they've always done.

2) Are they preventable? Mostly but it costs money. Risk management may say: don't spend the money until we get hit. If you spend the money in prevention, you may still get hit and have to spend more to remove it.

3) Can anyone, any more be that stupid? Yes, when blinded by the bottom line... see 1) & 2).

They should be using a secure OS and not have their POS devices open to the 'Net. They should be patched, use secure passwords, etc., etc., etc. But they don't. And nor will they until some entity forces them into it where the fines are larger than the cost to fix the problem.

@AC

"Given that the majority of the POS systems use it, it is a haven for malware; write once and deploy on a wide scale."

With a single OS you can also write the POS software once and deploy it wide scale. Does your company have multiple OS platforms just to deter malware? How much does that cost?

The problem here isn't the OS but poor security practices. Apparently the affected POS systems were connected directly to internet without firewalls, and the admin passwords were poorly selected. Brute force isn't restricted to MS operating systems you know.

Where I work (hence the AC) all the thousands of POS systems are in private networks with network access limited to company servers and a handful of mobile payment/CC processing IP addresses and the computers are locked down. Of course the HDD can be taken out and tampered with but the damage would still be restricted to a single POS terminal.

"Use different OS's and then it wouldn't be one malware to rule them all."

Well then, why do you propose 'it is time that companies quit using Microsoft as the OS on POS systems' if your aim is to diversify? Because the only other practical choice is Linux (due to uncommon hardware and mfgr support) and there would again be a "one malware to rule them all."

Re: Microsoft as the OS on POS systems.

It's not the OS per se, but the lack of configuration, slowness to update, and I'd say most importantly of all, the even crappier problems of the POS systems. A friend of mine does the POS support for a smallish regional chain of fast food joints. I imagine they've updated to Windows 7 by now and they run the updates and AV software. I think he handles about 100 retail locations. From the descriptions of the system, in each store you have the primary Win PC which handles 3-5 POS systems. Each of the POS terminals requires a specific name. So at each store you have for example, terminal1, terminal2, etc. So once you've breached the configuration for 1 store, you have all the rest of them. Combine that with store managers who can't remember their passwords so you have to keep an account on their system to fix it, and it's a bitch to remember 100 different passwords for each of the stores and it's a recipe for disaster.