How to fight credit and debit card fraud at POS terminals
The rising trend in data breaches continues to rise, and as a result, there has never been a more precarious time in history to start and sustain a successful business. Additionally, to prevent the repetition of mistakes that lead to data breaches, we need to stay up to date with the current information awareness regarding new techniques being used by cybercriminals to compromise credit and debit cards.
According to the latest IBM Data Breach Report, the global average cost of a data breach is $3.26 million — up 6.4 percent from 2017. The cost of data breaches increased significantly year-on-year from the 2020 report to the 2021 report and increased from $3.86 million in 2020 to $4.24 million in 2021 (an increase of $380,000, an increase of 9.8%). The average cost of each lost or stolen recording containing sensitive and confidential information is US$161, an increase of US$146 per lost or stolen recording in reporting year 2020. This is down 1.5% from reporting year 2019 2020 vs.
Data breaches at the point of sale are a serious problem for businesses that can result in a loss of consumer confidence and a crippled system that could cost a fortune to fix. A magnetic stripe card is a type of card that can store data by modifying the magnetism of tiny iron-based magnetic particles on a band of magnetic material on a card. Magnetic stripe cards are commonly used in credit cards, ID cards, and transportation tickets.
The point-of-sale or point-of-purchase terminal, on the other hand, is a hardware system used to process card payments at retail locations. Software for reading magnetic strips from credit and debit cards is embedded in the hardware. When a credit card is used to pay for something, a traditional POS terminal first reads the magnetic stripe to see if there are sufficient funds to transfer to the merchant, and then completes the transfer.
The sale transaction is recorded and a receipt is printed or emailed or texted to the buyer. Merchants can either buy or lease POS terminals depending on how they want to manage their cash flows. At the point of sale, the merchant calculates the amount owed by the customer, states that amount, then issues an invoice to the customer and gives the customer the option to make the payment. The point of sale is often referred to as the point of service as it is not only a point of sale but also a return point for customer orders. POS terminal software can also include features for additional functions such as inventory management, customer relationship management, finance or warehousing.
In recent updates, several reports of data breaches have surfaced, affecting millions of consumers. Many of these data breaches affect a company’s point of sale. The main goal of point of sale breaches is to steal your 16-digit credit card numbers. Credit cards handle 60 percent of POS transactions, making it big business for cybercriminals, and individual credit cards can be sold on the dark web for as much as $100 apiece. The industries most affected by POS data breaches are typically restaurants, retail stores, grocery stores, and hotels.
As people’s handling of cash transactions becomes more and more submerged, the adoption of POS services becomes very widespread and one of the most obvious compelling reasons is that the POS system eliminates the need for price tags. Sales prices are usually linked to the item’s product code when the inventory is added, so the cashier has only a few tasks to do – scan this code and process the sale of the product. If there is a price change, this can also be done conveniently via the inventory window. Other benefits include the ability to implement different types of discounts, loyalty programs for customers and more efficient inventory control, these features are usually typical of almost all modern ePOS systems.
As the benefits of POS electronic transactions continue to trend, cyber criminals have also developed gateways to infiltrate this development. According to a report published by Bleep Computers, December 2021 shows that 1.8 million people’s credit card information was stolen from sports equipment sites.
Exploiting a POS system is similar to a vulnerable computer break-in. Cyber criminals gain access to the system by installing a monitoring device called BlackPOS. BlackPOS is a spyware designed to steal credit and debit card information from the POS system. The BlackPOS invades the PC using stealth-based methods and steals information to send to an external server.
Small and medium-sized businesses are easy targets for cybercriminals because they are more accessible to these criminals and generally have less stringent security measures and policies than a larger company. The POS systems that these companies use to call companies are basically computers, often running Windows, and are vulnerable to the same threats that a regular Windows-based computer is vulnerable to. The credit card data is initially stored unencrypted for processing on the machine. If malware gets onto the machine, it is about the payment information stored in unencrypted form. The malware collects the data and then sends the information to a remote server.
With so many threats to POS systems, as well as the amount of new malware being created, the privacy fuss becomes a challenge. Therefore, retailers and business owners must take special precautions when using credit and debit cards in the checkout system.
Attackers could gain access to the devices to manipulate them in two ways. Either they can gain physical access to the POS terminal, or they can gain access remotely over the internet and then execute arbitrary code, buffer overflows, and other common techniques that can provide attackers with escalation of privileges and the ability to control them the device, see and steal the data passing through it.
Remote access is possible when an attacker gains access to the network via phishing or other attack and then moves freely on the network to the POS terminal. Ultimately, the POS machine is a computer, and if it is connected to the network and the internet, attackers can try to gain access to it and manipulate it like any other insecure machine.
To protect against attacks that exploit POS vulnerabilities, retailers using the devices are advised to ensure they are patched and up to date and should avoid using default passwords whenever possible.
It is also recommended that POS devices be on a different network from other devices whenever possible so that if an attacker gains access to the network through a Windows system, they cannot easily switch to the POS devices.
The POS systems run on a modified version of Windows, which means that the computer can be vulnerable to attacks like other Windows devices. And while most Windows systems on a network should receive regular security patches to ensure they don’t fall victim to attacks, the POS terminal can all too easily be forgotten.
A report by the Information Commissioner’s Office pointed to “systematic flaws” in the way the retailer protected personal data and managed the security of its networks, including failure to patch systems against known vulnerabilities. (Verizon’s 2015 Data Breach Investigations Report shows that POS-related incidents accounted for 28.5 percent of all breaches in 2014). The common mistakes small business owners can make when it comes to protecting their customers’ user data — storing it in the same place that the encryption information is stored, for example — make it very easy for hackers to access all that data they need to go along with a single punch. A simple solution to this would be to keep the encryption data separate from the user data.
Another mistake is using a corporate network to send security and system updates to all POS devices. This is a common practice that puts many businesses at risk. It is extremely easy for hackers to gain access to computers, networks and POS systems if company networks are not protected by professional security measures. For small businesses, a good solution is to opt for multi-factor authentication systems and never operate the POS systems on the public WiFi network.
One of the best practices to secure your system and prevent POS breach is to install antivirus software that constantly scans for viruses or malicious files; Use encryption (in case cyber thieves have payment theft malware installed on the retailer’s POS system, this tactic often obfuscates data as it is shared over networks, making it extremely difficult to hack); Monitor terminals with video surveillance to monitor all POS terminals and prevent skimmers on your POS terminals; Secure your network to prevent POS attacks; Secure all networks with a strong password and consider setting up a segmented connection for even more protection; Implement a POS monitoring service to instantly detect cashier violations by sending video clips and POS data based on the specified exceptions, e.g. B. cashiers going in and out, opening drawers without sale, etc. in the event of a break-in; Keep all POS software up to date and teach staff how to spot suspicious activity.
- Ibenu, assistant professor of computer science at Escae-Benin University of Science and Technology, is writing from Lagos, Nigeria
All rights reserved. No part of this material or any other digital content on this site may be reproduced, published, transmitted, transcribed or redistributed without the prior express written permission of PUNCH.
Contact: [email protected]