Retailers, hotels and restaurants have all been victimized through the same Achilles' heel that cybercriminals continue to attack: the point-of-sale system, where customers' payment data is routinely processed.
These digital cash registers are often the target of malware designed to steal credit card numbers in the thousands or even millions. This year, fast food vendor Wendy's, clothing retailer Eddie Bauer and Kimpton Hotels have all reported data breaches stemming from such attacks.
Security experts, however, are encouraging a variety of approaches to keep businesses secure from point-of-sale-related intrusions. Here are a few to consider:
Point-of-sale malware can strike in a number ways. Often, it can involve hackers spreading malicious code by breaching the remote access services designed to maintain the payment processing systems, said John Christly, CISO of Netsurion, a security provider.
These remote access services can be poorly configured with guessable passwords, enabling the hackers to break in and distribute the malware to hundreds or thousands of point-of-sale machines. It also doesn't help that the malware can be tricky to detect, Christly added. Sometimes, it can sneak past antivirus programs, and then stealthily extract payment data, despite the presence of traditional firewalls.
"Then it can send out the stolen data slowly, making it look like normal traffic," Christly said. "A few months will go by, and who knows how many credit cards will have been breached."
Businesses that provide remote access to their point of sale system can consider installing two-factor authentication, to avoid relying only on password logins, Christly said. But to ensure better detection of all possible threats, he advocates that businesses go beyond basic antivirus and firewalls and use tools that can monitor for any unusual activity on the actual point-of-sale machines.
"You have to watch every computer to make sure nothing has changed," Christly said. "Whether that computer is active during the night and communicating data, or if the files are being changed."
These tools have been generally marketed to big brand retailers, but Netsurion said it's been offering them at a low cost to small and medium-size businesses.
Although hackers continue to develop ever-craftier point-of-sale malware, the most resilient malicious coding becomes useless if all it steals is encrypted data, said George Rice, a senior director of payments at Hewlett Packard Enterprise Security.
Typically, point-of-sale malware works by reading payment data the moment the card is swiped through the retail checkout machine. It does this by scraping the RAM memory of the point-of-sale terminal, where the payment data can be unencrypted.
"The malware techniques are evolving all the time," Rice said. Criminals also understand that retailers are continually updating their point-of-sale machines for pricing or inventory reasons. "So they (the hackers) are using a variety of vulnerabilities to insert the malware into the system," he added.
Sign up for Computerworld eNewsletters.