Attackers Find Point-of-Sale Software an Easy Target
Dennis Fisher writes on ThreatPost:
While most consumers worry about their credit card or debit card numbers or other valuable data being stolen from their home computers or leaked via a data breach at their banks, a new report shows that the vast majority of attacks that harvest this sensitive data actually target weak software on point-of-sale devices at retail locations.
The data shows that 75 percent of the more than 220 breach investigations done by Trustwave's SpiderLabs unit last year involved an attack that targeted POS software. These systems, which are the first link in the long chain of payment processing, tend to be the softest targets for attackers interested in gathering large amounts of payment card data quickly. Many POS systems are proprietary systems that are set up either by the vendor or a third-party consultant and may not be well understood by the customer's IT staff.
"For instance, our investigations often uncover deficiencies in regards to basic security controls, such as the use of default passwords and single-factor remote access solutions. In 87% of POS breach cases, third party integrators used some form of default credentials with either remote access systems or at the operating systems layer. Businesses should work with their third party vendors to help ensure non-functional security requirements are part of the implementation and maintenance agreements," the SpiderLabs Global Security Report 2011 says.