How penetration testing can prevent POS intrusions

Over the past few weeks, we’ve discussed the overlooked importance of penetration testing in staying cyber secure. Many successful attacks could have been mitigated – or prevented altogether – with effective testing, but too few organisations commit to regular tests.

Penetration testing is essentially a controlled form of hacking in which a professional tester, working on behalf of an organisation, uses the same techniques as a criminal hacker to search for vulnerabilities in the company’s networks or applications.

This blog focuses on point-of-sale (POS) intrusions, following our discussions of web application attacks and insider threats. Criminals attack POS terminals and controllers to gain access to payment card details, which they typically sell to other criminals who encode the stolen data onto another payment card.

POS systems used to be plagued by vulnerabilities, but there has been a significant improvement in payment card security in the past few years. Nonetheless, there are still numerous high-profile POS breaches each year.

Examples

  • Oracle was targeted by a malware attack in 2016 that compromised the company’s MICROS systems. MICROS’s payment systems are used at more than 330,000 tills across the globe, making it one of the top three POS system providers. Forbes later reported that the criminals behind the attack also targeted five other POS providers: Cin7, ECRS, Navy Zebra, PAR Technology and Uniwell.
  • More than 1,200 InterContinental hotels were affected by a POS breach in April 2017. The three-month malware attack searched for track data by reading the magnetic stripe of payment cards as they were being routed through the hacked hotel server. The compromised data included cardholders’ names, card numbers, expiration dates and internal verification codes.
  • In June 2017, Kmart’s POS systems were breached for the second time in three years. According to a statement from Kmart’s parent company, Sears Holdings, some of the company’s 624 stores were “infected with a form of malware code that was undetectable by current anti-virus systems and application controls”. The company didn’t say how many shops or customers were affected, only that “certain customer purchases” were compromised.
  • In August 2017, security researchers identified a vulnerability in SAP’s payment systems that allowed criminals to perform privileged functions without authentication. Anyone who gained access to the company’s POS Xpress server was able to access payment card details or change the price of products.

How can penetration testing help?

Every company that handles payment card details needs to comply with the Payment Card Industry Data Security Standard (PCI DSS). Requirement 11 of the Standard describes the need to carry out regular tests designed to identify security issues and rogue wireless networks. By resolving these vulnerabilities promptly, organisations can mitigate the risk of a data breach.

The test must include the perimeter of the Cardholder Data Environment (CDE) and any systems which, if compromised, could impact the security of the CDE. In order for a system to be out of scope for a penetration test, it must be completely segregated from the CDE. Therefore, if the system were compromised, the integrity of the CDE would be unaffected.

Requirement 11.3.4 of the Standard states that you must make sure that the segmentation controls are effective. This should be done on at least annually (or six-monthly if you’re a service provider) and must be conducted by an individual who is completely separate from the implementation or management of the CDE.

IT Governance’s PCI Compliance Penetration Testing service checks that your organisation has correctly implemented the PCI DSS’s controls, and determines whether a malicious actor could gain unauthorised access to assets that affect the fundamental security of the system, files, logs and cardholder data.

We offer fixed-price and bespoke CREST-accredited penetration tests, and all our tests are followed by reports that rank and rate vulnerabilities in your systems.

If you want to learn more about penetration testing and how we conduct our tests, you should attend our webinar Cyber security: protecting your business with cost-effective penetration testing. You’ll find out:

  • How penetration testing can help prevent the most common types of attack;
  • The differences between a penetration test and a vulnerability assessment;
  • Why penetration tests are vital to uncovering vulnerabilities before criminals do; and
  • How to conduct a penetration testing programme.

This webinar will take place on 9 November 2017, from 3:00 pm. If you can’t make it, the presentation will be available to download from our website.

Register now >>