In light of the recent Target security breach, it is critical that all business owners ensure their point-of-sale (POS) systems are properly protected from cybercriminals.
The Department of Homeland Security's United States Computer Emergency Readiness Team (US-CERT) said there are two ways cybercriminals have been targeting consumer data entered in POS systems, which consist of the hardware (i.e., the equipment used to swipe a credit or debit card, and the computer or mobile device attached to it) and the software that tells the hardware what to do with the information it captures.
One way criminals steal data is by attaching a physical device to the POS system to collect card data, which is referred to as skimming. The other way cybercriminals steal data is by delivering malware to acquire credit- and debit-card data as it passes through a POS system, eventually sending the desired personal information back to the criminal.
US-CERTofficials said once the cybercriminal receives the data, it is often trafficked to other suspects, who use the data to create fraudulent credit and debit cards.
In addition to the financial damage that is done when a POS system is infiltrated, it can have a devastating impact on a company's reputation. To protect themselves from such schemes, US-CERT advises businesses to follow several best practices to increase the security of their POS systems and prevent unauthorized access:
Use strong passwords: Installers of POS systems often use the default passwords for simplicity on initial setup. However, the default passwords can be easily obtained online by cybercriminals. It is highly recommended that business owners change passwords to their POS systems regularly, using unique account names and complex passwords.
Update POS software applications: Ensure that POS software applications are using the latest updated software applications and software application patches. POS systems, in the same way as computers, are vulnerable to malware attacks when required updates are not downloaded and installed on a timely basis.
Install a firewall: Firewalls should be utilized to protect POS systems from outside attacks. A firewall can prevent unauthorized access to or from a private network by blocking traffic from hackers, viruses, worms or other types of malware specifically designed to compromise a POS system.
Use anti-virus software: Anti-virus programs work to recognize software that fits its current definition of being malicious and attempts to restrict that malware's access to the systems. It is important to continually update anti-virus programs so they are effective on a POS network.
Restrict Internet access: Restrict access to POS system computers or terminals to prevent users from accidentally exposing the POS system to security threats on the Internet. POS systems should only be utilized online to conduct POS-related activities and not for general Internet use.
- Prohibit remote access: Remote access allows a user to log in to a system as an authorized user without being physically present. Cybercriminals can exploit remote-access configurations on POS systems to gain access to these networks. To prevent unauthorized access, it is important to disallow remote access to the POS network at all times.
Consumers who suspect their credit- or debit-card information has been compromised can take several cautionary steps to protect their money and prevent identity theft, US-CERT officials said. These steps include changing online passwords and PINs used at ATMs and POS systems; requesting a replacement debit or credit card; monitoring account activity closely; and placing a security freeze on all three national credit reports (Equifax, Experian and TransUnion). A freeze will block access to the consumers' credit file by lenders with which they do not already do business.