Sketchy Checkout: How PoS Malware Could Be Putting Your Card Data At Risk

Most of us consider high-street shopping safer than shopping online, but what if using your credit or debit card to pay for items was putting you at risk?

New research has found that a shockingly high number of retailers are putting themselves and their customers at risk thanks to compromised Point of Sale (PoS) terminals, which can be infected with malware which steals customer data.

To find out more, TechWeekEurope spoke to Charles Henderson, VP of managed testing at Trustwave, to what retailers can do to stay safe and find out how bad the situation is.

At risk

The initial prognosis, it seems, is not good.

“We’re playing a game of’ ‘how many fingers can we stick in the dam?’” Henderson says, “And the big issue is not the latest strain of malware, it’s how the malware is getting on your PoS in the first place.”

Awareness and prevention need to be the watchword for retailers, Henderson says, as PoS terminals generally have, “a very very low bar” of security, leaving many merchants at risk of attack.

This is most notably seen through the fact that 90 percent of terminals tested by Trustwave still have the default six-digit password set up when they left the factory – a shocking statistic when it was seen that most of these were made in the mid-1990s.

“(The terminals) haven’t been tested in the same way that the attackers are testing them,” says Henderson, “it’s not like the hackers are going to the ends of the earth to get malware on these machines.”

Staying safe

“Security is not where it should be,” Henderson says, noting that 90 percent of retailers admitted to never having testing their PoS terminals for security, “no-one is paying attention to security.”

Hackers are able to install malware easier than ever before, and with less interaction, as criminals don’t even need to be in a store to remotely install malicious software.

“The security posture of the PoS industry is not where it should be,” Henderson notes, “it’s far too easy to get malware onto these systems.”

He’s recommending a multi-prong approach to ensure retailers become less of a target. Better in-house testing is a start, to eliminate the low-hanging fruit, but network segmentation, anti-malware tools and penetration testing can also be invaluable.

This wouldn’t mean huge expenditure either, as often only a single device would need to be tested if a business uses the same tools across all their operations.

Although more extensive testing by vendors would also help, as often this is taken up by lots of compliance testing.

“People think that, because I’m compliant I’m secure-that’s just not true,” Henderson says.

“There’s often a sense of paralysis in the security industry when you’re faced with a daunting task…it’s like facing from the bottom of a mountain, looking up, and the mountain looks so tall that you don’t start climbing.”

“Until you start climbing, you will not reach the top.”

What do you know about Internet security? Find out with our quiz!