Hundreds of millions of Americans dine at restaurants each year. Unfortunately, so do hackers.
In the past year alone, we've learned about cybercriminals devouring credit card information from CiCi's Pizza, Wendy's and Arby's. What makes these retailers so attractive to attackers is their highly vulnerable point-of-sale (POS) systems. The problem is so severe that cybercrime investigative journalist Brian Krebs recently blogged on KrebsOnSecurity:
From my perspective, organized crime gangs have so completely overrun the hospitality point-of-sale systems here in the United States that I just assume my card may very well be compromised whenever I use it at a restaurant or hotel bar/eatery.
According to the just-released 2017 Data Breach Investigations Report from Verizon, almost 65% of POS breaches involved the use of stolen credentials as the hacking variety. And 95% of breaches featuring the use of stolen credentials leveraged vendor remote access to hack into their customer's POS environments.
Anatomy Of A POS Hack
A vendor-enabled POS hack usually involves three basic steps. To illustrate this, we'll use the infamous Target hack, which compromised 40 million credit cards.
First, the hacker steals vendor login credentials. In the case of Target, a phishing email loaded malware on the computers of one of the retailer's HVAC vendors. The next time that vendor logged into the Target portal, the attacker captured the login credentials.
Next, the hacker uses these credentials to enter and roam the network. Target never released details on how its Windows servers were breached, but speculation has it that they fell to SQL injection attacks. This would have helped attackers attain elevated credentials, allowing them to move across Target's internal network.
And finally, the hacker begins exfiltrating POS credit card data. Target's attackers infected the system with malware that scraped the RAM off POS devices and grabbed data as cards were swiped. This information was sent to a "dump" server outside the compromised network, from which cybercriminals then moved the stolen data to off-site FTP servers.
Protecting Your POS System
Obviously, you can't eliminate third-party vendors. Doing away with your vendor portal is also unfeasible. It would greatly limit your working relationship with these important suppliers.
However, keep in mind that all it takes is one compromised vendor to put your entire POS system in jeopardy. So it's imperative you do all you can to prevent that. Here are some suggestions:
Require two-factor authentication. Make sure your vendors can't access your portal with just a user name and password. For even higher security, add a third factor of authentication for client devices.
Secure your network perimeter. Insist that third-party vendors access your network only with authorized devices. With software-defined networks, this means only devices on which the software is registered. This prevents attackers using stolen credentials from entering your portal via their devices.
Hide your vendor portal. It should not be visible, reachable or scannable from the public Internet. Instead, establish a zero-trust firewall to protect your enterprise applications and vendor portal from prying eyes.
Limit vendor access. Once inside the Target network, attackers moved laterally from server to server, searching for valuable data. Prevent this by locking down vendor access to just one application or server. That way, if an attacker does sneak through your vendor portal, he's limited to only that portal application.
Vet your vendors. We'll end with where you should begin. As the Verizon report stated:
"We recommend all businesses, small and large, ask the right questions to any third-party management vendors about their security practices, specifically about use of two-factor authentication."
Don't wait to be the next victim. Talk to Dispersive. Our virtualized networks can bring unmatched security to your POS systems, minimizing your concerns about hungry hackers and careless vendors.
Find out how we or one of our carrier partners can improve your situation. Email us at email@example.com or call us at (844) 403-5852.