keeping hackers out of your pos!
TRANSCRIPT
Keeping the hackers out of your POS!
Michael McKinnon, AVG Security Advisor
AVG.COM.AU
AVG.CO.NZ
AVG.COM.AU AVG.CO.NZ
What are we looking at today?
AVG.COM.AU AVG.CO.NZ
1.The Problem
2.Attack Vectors
3.Types of Attacks
4.Solutions
Quick Overview
The Problem
Unlike shoplifters, cybercriminals set up camp and stay
there, stealing from retailers for extended periods of time.
AVG.COM.AU AVG.CO.NZ
PC based POS systems
• They are cheap, efficient and can be used for multiple purposes
• However, the PC has become the POS security “battleground”
+ +
AVG.COM.AU AVG.CO.NZ
Data breaches are still too easy!
Source: Verizon Data Breach Investigations Report 2012
AVG.COM.AU AVG.CO.NZ
96%
4%
Australian Retail Spend
Offline Retail Online Retail
Offline retail is the biggest cybercrime target
Source: NAB Online Retails Sales Index – July 2012
AVG.COM.AU AVG.CO.NZ
Infiltration of POS transaction data
There are lots of examples in the news…
Source: www.cio.com.au/article/436663/two_romanians_plead_guilty_point-of-sale_hacking/
Attack Vectors
There are 6 ways cybercriminals can gain entry into your retail
business…
AVG.COM.AU AVG.CO.NZ
The user manual says:
“Step 1. Change the default password”
BUT, it is far too common that these are not changed, or they’re
changed to someone else’s “default” password (which is widely
known)
#1. Default passwords
AVG.COM.AU AVG.CO.NZ
Which password is the most secure?
1. E56#av+Yb!
2. Password123
3. aaaaaAAAAA#####43
4. 123456
5. lucasjames
AVG.COM.AU AVG.CO.NZ
Answer: aaaaaAAAAA#####43
But why?
• 17 characters in length
• Contains upper and lowercase letters
• Contains numbers
• Contains a symbol
• There are 37 thousand billion billion billion possiblecombinations!
Learn other tips to creating a secure password here.
AVG.COM.AU AVG.CO.NZ
• Convenient and very common for providing remote support
• But, often poorly implemented with weak passwords
#2. Remote desktop access
AVG.COM.AU AVG.CO.NZ
• Wireless networks are convenient in retail environments, however
when they’re poorly configured, they represent a huge security
risk
• Data packets can be “sniffed” by nearby attackers
#3. Insecure wireless networks
AVG.COM.AU AVG.CO.NZ
• Phishing is the sending of specially crafted emails to trick users
into divulging sensitive information. For example:
“Click here to see the details of your order” –> (login page)
• Handling email in a retail setting can be very dangerous!
#4. Phishing, spear phishing & whaling
AVG.COM.AU AVG.CO.NZ
• Social engineering means that gaining access to someone’s
computer only needs to be as hard as gaining their trust!
• What do you give for a 10th wedding anniversary…?
“I could have got her to click on anything I wanted!”
• It’s about customer service vs customer honesty
#5. Social engineering
AVG.COM.AU AVG.CO.NZ
• Modern retail layouts often remove the traditional
counter, exposing equipment to theft or tampering
• Disclosure of the makes and models, or other identifying
labels, can also compromise retailers
• Physical loss is no.1 risk for secure mobile devices
#6. Physical disclosure
Types of Attack
Malware and hacking are the most common attack methods used
by cybercriminals.
AVG.COM.AU AVG.CO.NZ
Common types of attack
Source: Verizon Data Breach Investigations Report 2012
AVG.COM.AU AVG.CO.NZ
Malware & Trojans
• Common varieties that cause general havoc include Fake Antivirus & ransomware
• Retail / POS specific – “RAM scrapers” (designed to exflitrate transaction data)
• Remote control Trojan or Rootkit (designed to remain hidden for future access)
AVG.COM.AU AVG.CO.NZ
• When combined with custom written malware, hacking is highly-
targeted and designed to avoid detection and remain in place for a
long time
• In 2011, Verizon reported that 81% of incidents utilised some
form of hacking
Hacking
Solutions
You may be surprised that security solutions are often simple and
inexpensive.
AVG.COM.AU AVG.CO.NZ
The solutions are NOT expensive
Source: Verizon Data Breach Investigations Report 2012
AVG.COM.AU AVG.CO.NZ
Tips & suggestions
1. Use strong passwords and change the default ones
2. Secure remote access with strong authentication
3. All wireless networks should use “WPA” or “WPA2”
4. Avoid spam email – use an Anti-Spam solution
5. Increase staff awareness of social engineeringtactics
6. Use endpoint protection on every device(antivirus and anti-malware) – AVG is a good choice!
AVG.COM.AU AVG.CO.NZ
Follow the money
• Cybercriminals tend to “follow the money”
• This means the types of attack are often predictable:
• Credit card data
• Private customer information
• Refund / returns policy
• Bank accounts
• Financial processes
AVG.COM.AU AVG.CO.NZ
Talk to your IT provider & stay in the loop!
• Ask them: “How are you keeping us secure?”
• Sign up to vendor notification / update lists
• Every six months, do a proper review of security
AVG.COM.AU AVG.CO.NZ
Thank you!
For even more information on retail security, visit:
avg.com.au/POS
avg.com.au
avg.co.nz
facebook.com/avgaunz
twitter.com/avgaunz