Sketchy Checkout: How PoS Malware Could Be Putting Your Card Data At Risk

Most of us consider high-street shopping safer than shopping online, but what if using your credit or debit card to pay for items was putting you at risk?

New research has found that a shockingly high number of retailers are putting themselves and their customers at risk thanks to compromised Point of Sale (PoS) terminals, which can be infected with malware which steals customer data.

To find out more, TechWeekEurope spoke to Charles Henderson, VP of managed testing at Trustwave, to what retailers can do to stay safe and find out how bad the situation is.

At risk

The initial prognosis, it seems, is not good.

“We’re playing a game of’ ‘how many fingers can we stick in the dam?’” Henderson says, “And the big issue is not the latest strain of malware, it’s how the malware is getting on your PoS in the first place.”

Awareness and prevention need to be the watchword for retailers, Henderson says, as PoS terminals generally have, “a very very low bar” of security, leaving many merchants at risk of attack.

This is most notably seen through the fact that 90 percent of terminals tested by Trustwave still have the default six-digit password set up when they left the factory – a shocking statistic when it was seen that most of these were made in the mid-1990s.

“(The terminals) haven’t been tested in the same way that the attackers are testing them,” says Henderson, “it’s not like the hackers are going to the ends of the earth to get malware on these machines.”

Staying safe

“Security is not where it should be,” Henderson says, noting that 90 percent of retailers admitted to never having testing their PoS terminals for security, “no-one is paying attention to security.”

Hackers are able to install malware easier than ever before, and with less interaction, as criminals don’t even need to be in a store to remotely install malicious software.

“The security posture of the PoS industry is not where it should be,” Henderson notes, “it’s far too easy to get malware onto these systems.”

He’s recommending a multi-prong approach to ensure retailers become less of a target. Better in-house testing is a start, to eliminate the low-hanging fruit, but network segmentation, anti-malware tools and penetration testing can also be invaluable.

This wouldn’t mean huge expenditure either, as often only a single device would need to be tested if a business uses the same tools across all their operations.

Although more extensive testing by vendors would also help, as often this is taken up by lots of compliance testing.

“People think that, because I’m compliant I’m secure-that’s just not true,” Henderson says.

“There’s often a sense of paralysis in the security industry when you’re faced with a daunting task…it’s like facing from the bottom of a mountain, looking up, and the mountain looks so tall that you don’t start climbing.”

“Until you start climbing, you will not reach the top.”

What do you know about Internet security? Find out with our quiz!

Mike Moore

Michael Moore joined TechWeek Europe in January 2014 as a trainee before graduating to Reporter later that year. He covers a wide range of topics, including but not limited to mobile devices, wearable tech, the Internet of Things, and financial technology.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago