Researcher: Retail Systems Riddled with Security Flaws
Retail point-of-sale (POS) systems pose a clear but often overlooked danger to consumer credit card data, a security researcher warned this week.
In a white paper released by Neal Krawetz, founder of the Hacker Factor Solutions, described several relatively easily exploited vulnerabilities in POS technologies. "The vulnerabilities disclosed in this document denote a set of fundamental flaws in the point-of-sale process," Krawetz said. "Even if a solution were available today, it would take years to be fully deployed."
According to Krawetz, a more detailed version of the document was made available to law enforcement agencies, financial institutions, card providers, credit card clearinghouses, point-of-sale manufacturers, large retailers and related businesses a year ago. Though each of the recipients had an option to respond to the issues cited, only one did, he said. "The delay was set for one year. Since there has been no additional discussion and no additional requests for a delay" the paper has been published.
Krawetz did not respond to requests for comment, but his Web site described the company as a Fort Collins, Colo-.based provider of security consultancy services to mid-size and large companies.
Avivah Litan, an analyst with Stamford, Conn.-based Garner Inc., said that Krawetz's paper does a good job of summarizing issues that have been known about for years, but not addressed by the credit card industry.
"He has brought out some points that people don't usually talk about," Litan said. "Basically, the paper calls attention to the need for standards at the payment level" for point of sale systems and for payment software. The Payment Card Industry (PCI) data security standard mandated by all major credit card companies requires businesses to take several measures for protecting card holder data. But for the moment, at least, PCI standards are not available for POS devices or software, Litan noted.
"The big hole he is calling attention to is the lack of standards at the PCI level for POS terminals," she said.
According to Krawetz, POS terminals that read credit card information, perform card transactions and receive the confirmation code make attractive targets for hackers. That's because POS terminals often store a relatively high volume of easily accessible credit card data, he said. Some systems purge the data automatically when power is turned off or when transactions are tallied at the end of the day, but that doesn't always happen, Krawetz said in his paper.
Some POS devices, for instance, use static RAM chips to store credit card data, so cutting power to the device usually does not clear this memory. Instead, the memory may need to be cleared using specific commands or it may get filled with new data, effectively overwriting old records.
Getting at the data in such static RAM devices usually requires a hacker to gain physical access to the POS devices. But once they have access, getting to the data itself can be can sometimes be a trivial matter, Krawetz said. In his paper, Krawetz used a POS device from a well known vendor as an example and described how to retrieve a complete list of current payers on the POS device, print a batch report of all transactions in memory and generate a duplicate receipt with credit card information using key combinations publicly availability on the vendor's Web site.
Some POS devices store credit card data in removable flash drives, which also offer an attractive target for hackers, he said. But here again, a hacker would need physical access to locate and remove the flash drives.
User access to different terminal functions is usually protected by an authentication code, Krawetz said. But such codes are often set to easily available default values by the companies using the devices in their stores. Often, the same password is used across an entire store or even an entire region, thereby heightening the risk further, he said. Krawetz described how one vendor's POS devices used a master code for accessing hidden functionality and another key stroke combination to allow backdoor access to POS data in the event the master code was lost. He used the combinations to show how a master password could be reset on that particular vendor's POS system
The actual data on many of these POS devices is also not encrypted, nor do the manufacturers provide any details on how to set, reset or change the password information for an encrypted file system. "In other words, the initial authentication can be bypassed, and after bypassing the authentication an attacker is given direct access to financial transaction information," he said.
Similar vulnerabilities exist at the branch server level, Krawetz wrote in his paper. Unlike POS terminals, branch servers collect information from multiple cash registers and may be located within stores, or at a regional or even national location. These servers can easily contain data from tens of thousands to millions of credit cards, he said. Typically, such data is retained by companies for up to 90 days for handling issues such as charge backs and returns.
"As with the POS terminal operating systems, these devices usually run some version of Windows or Linux, and offer no protection beyond the initial (bypassable) authentication," Krawetz said. "The only true protection comes from restrictive physical access. For small merchants, the server may be located in a back room. Larger companies may have more restrictive access."
What makes branch server compromises especially risky is the sheer volume of financial data stored on the systems. In many cases, the network communication between POS systems and branch servers is not as robustly protected as the links between a retailer and banks. As a result, these networks are more susceptible to hacker attacks, he said. "The core risk is not that someone could possibly compromise a branch server; the risk is that the information is stored on the branch server in the first place. An attacker cannot steal information that does not exist."
Companies that want to mitigate their risk need to get detailed information from their POS vendors on a variety of issues, Krawetz recommended.
This includes asking the vendor whether payment card data is purged when power is removed from the POS system, finding out how much data can be retained in the device's permanent storage and how to manually purge the data. Similarly, companies need to find out whether the data on POS devices is encrypted, whether the permanent storage can be removed and whether the POS system forces users to change default settings. Also, companies should find out if the POS device allows backdoor access to the data and whether it has any logging functions for tracking activity.