+ Reply to Thread
Results 1 to 19 of 19

Thread: Malware on POS

  1. Senior Member
    Join Date
    Sep 2016
    Posts
    132

    Certifications
    CCNA Security, CCNA R&S
    #1

    Default Malware on POS

    I was reading an article about a retailer having a data breach due to malware running on their POS machine. I have what is probably a dumb question but I'll ask anyway. How does malware get installed on a POS machine? I have limited experience in the retail space, but I have done a few consulting gigs. From what I've seen, the POS systems were running an embedded version of Windows XP, which I know is no longer supported and could easily be a vulnerability. My confusion is how malware would get installed to begin with. I wouldnt think these POS machines would need internet access.
    Reply With Quote Quote  

  2. SS
  3. Senior Member
    Join Date
    Dec 2015
    Location
    Quebec, Canada
    Posts
    538

    Certifications
    A+, Network+, Linux+, HP APS, VCP 3-4-5-6, VSP,VTSP, SSCP, Veeam VMCE, CISSP
    #2
    Embedded does not mean non-vulnerable usually they are the last thing that are updated in a network.

    Also while they perhaprs dont have internet access, they are usually connected to an internal network, they can became infected after a first breach.

    Finally, I have also seen a guest wifi that is plugged in the same network as the POS..
    Reply With Quote Quote  

  4. Achieve excellence daily
    Join Date
    May 2012
    Location
    Washington State
    Posts
    1,425

    Certifications
    CISSP
    #3
    Lets see, a couple options.
    • They are frequently on a network. Maybe another PC on that or an adjacent network has internet access.
    • Maybe a port (USB) is open on the device and an attacker can sneak a USB in during a transaction.
    • Maybe an employee or someone with access is paid to insert a disk or USB.
    • Pose as an IT or service person and insert a disk/USB
    I'm sure folks will chime in with other ways.
    When you go the extra mile, there's no traffic.
    Reply With Quote Quote  

  5. Senior Member
    Join Date
    Sep 2016
    Posts
    132

    Certifications
    CCNA Security, CCNA R&S
    #4
    Quote Originally Posted by SteveLavoie View Post
    Embedded does not mean non-vulnerable usually they are the last thing that are updated in a network.

    Also while they perhaprs dont have internet access, they are usually connected to an internal network, they can became infected after a first breach.

    Finally, I have also seen a guest wifi that is plugged in the same network as the POS..
    Yes, absolutely vulnerable. That's exactly what I was wondering. If its because say a desktop or another device got infected and since they share the same LAN (without segmentation), they then get infected.
    Reply With Quote Quote  

  6. Senior Member cyberguypr's Avatar
    Join Date
    May 2007
    Location
    Chicago, IL
    Posts
    6,309

    Certifications
    GCFE, GCED, GCIH, GSTRT, CISSP, CCSP, and others that should never be mentioned
    #5
    Good, easy to digest report on this topic: https://www.symantec.com/content/dam...systems-en.pdf
    Reply With Quote Quote  

  7. Senior Member
    Join Date
    Jan 2015
    Location
    Chicago, IL
    Posts
    1,177

    Certifications
    Too many MCPs and MCTS, MCSA: Security, MCSE: Security, MCSA: 2003, 2008, 2012, MCITP: EA, CISSP-ISSAP, SCS DLP, GREM
    #6
    Here how it's happened with Target Corp. They compromised some third party vendor, used their credentials to get inside Target's Microsoft network, which turned out to be flat, identified PoS machines, obtained an account with admin rights on all PoS (running XP) and installed their malware as a windows service on pretty much all points.
    Reply With Quote Quote  

  8. Senior Member
    Join Date
    Sep 2016
    Posts
    132

    Certifications
    CCNA Security, CCNA R&S
    #7
    Great replies. Exactly what I was looking for. Thanks @NotHackingYou, @cyberguypr, @gespenstern and @SteveLavoie
    Reply With Quote Quote  

  9. Senior Member
    Join Date
    Sep 2016
    Posts
    132

    Certifications
    CCNA Security, CCNA R&S
    #8
    Had some more thoughts/questions on this. Is it best practice to prevent these POS machines from accessing the internet, other than for necessary reasons like ms-updates?

    Is it also best practice to disable USB ports for Flash drives? Most of the POS machines I've seen (not many), are not AD Joined, so GPOs are not an option
    Reply With Quote Quote  

  10. Senior Member Moldygr33nb3an's Avatar
    Join Date
    Jul 2016
    Location
    The Oasis
    Posts
    239

    Certifications
    A+, Network+, Security+, Project+, CSA+, CASP, CEHv9, CCNA R&S/Security, eJPT
    #9
    POS' can be connected to the internet, or the same network of other devices that are connected to the internet. Back when I worked at Circuit City, our POS' were connected to the internet running WinXP. Literally a few months ago, I was working with our internal subway store and they were using WinXP and it was connected to the internet. I told them they needed to upgrade otherwise they were going to (if they hadn't) get steam rolled. They upgrade a few days later
    Reply With Quote Quote  

  11. Completely Clueless TechGromit's Avatar
    Join Date
    Oct 2015
    Location
    Ontario, NY
    Posts
    1,731

    Certifications
    A+, Network +, Sanity+ (Revoked), GSEC, GCIH, GREM
    #10
    Quote Originally Posted by mnashe View Post
    I was reading an article about a retailer having a data breach due to malware running on their POS machine.

    POS Machine? Or POS system? The cash registers usually connects back to a server that runs Microsoft server software. The Touch screen IBM POS sale terminals I have experience didn't have Hard Drives, but did run an operating system that you could run some updates against. While you would think comprising the Server would be ideal, the POS registers don't have Anti-Virus software, so a compromised POS terminal would escape detection for quite some time.
    Still searching for the corner in a round room.
    Reply With Quote Quote  

  12. Senior Member
    Join Date
    Sep 2016
    Posts
    132

    Certifications
    CCNA Security, CCNA R&S
    #11
    Quote Originally Posted by TechGromit View Post
    POS Machine? Or POS system? The cash registers usually connects back to a server that runs Microsoft server software. The Touch screen IBM POS sale terminals I have experience didn't have Hard Drives, but did run an operating system that you could run some updates against. While you would think comprising the Server would be ideal, the POS registers don't have Anti-Virus software, so a compromised POS terminal would escape detection for quite some time.
    I'm sorry, when I say POS, I'm referring to the POS registers systems that are in the stores. The ones I've seen run like windows xp embedded. I'm pretty sure they had hard drives. I've even seen in one place where they had two registers, one of which acted as the "server"

    I don't get why they don't run AV.
    Reply With Quote Quote  

  13. Completely Clueless TechGromit's Avatar
    Join Date
    Oct 2015
    Location
    Ontario, NY
    Posts
    1,731

    Certifications
    A+, Network +, Sanity+ (Revoked), GSEC, GCIH, GREM
    #12
    The location I worked at had 45 touch screen registers all in different restaurant locations in the same building, two in the coffee shop, 5 in the beach bar, four in the steak house, etc. The reason they didn't have Hard Drives, was they had embedded XP Operating system on something like a flash card. Originally they networked back to a pair of 386 servers, I had a faster computer at home than work had running the companies POS system. Eventually they upgraded to much faster servers, over the course 15 years, better than what I had at home. The servers of course ran Anti-Virus software, but the registers never did.
    Last edited by TechGromit; 06-11-2018 at 06:38 PM.
    Still searching for the corner in a round room.
    Reply With Quote Quote  

  14. Senior Member
    Join Date
    Jul 2015
    Location
    Liverpool, UK
    Posts
    295

    Certifications
    A+, Net+, Sec+, ITIL v3, MCSA:2008/2012, MCSE:CP&I, CCNA R&S/Cyber Ops, MCITP:EDST/EDA
    #13
    POS systems can have email clients on them, so store staff can contact area managers with figures etc. Don't be surprised if they support legacy software that has weak authentication methods for remote access too. (For polling etc)
    Reply With Quote Quote  

  15. Senior Member
    Join Date
    Sep 2016
    Posts
    132

    Certifications
    CCNA Security, CCNA R&S
    #14
    I think I'm just confused on how there is a lack of protection on these devices. Whether they run Windows on a hard drive, or windows embedded, it's still an OS. Why would there not be AV installed on them?

    Also, why should they have internet access, if there is no need? Isn't that asking for trouble
    Reply With Quote Quote  

  16. Senior Member
    Join Date
    Jul 2015
    Location
    Liverpool, UK
    Posts
    295

    Certifications
    A+, Net+, Sec+, ITIL v3, MCSA:2008/2012, MCSE:CP&I, CCNA R&S/Cyber Ops, MCITP:EDST/EDA
    #15
    I've literally just given 2 use cases for internet access.

    Edit: Also, Antiviruses are nowhere near a guarantee that malware won't get through.
    Reply With Quote Quote  

  17. Senior Member
    Join Date
    Sep 2016
    Posts
    132

    Certifications
    CCNA Security, CCNA R&S
    #16
    Quote Originally Posted by Pseudonym View Post
    I've literally just given 2 use cases for internet access.

    Edit: Also, Antiviruses are nowhere near a guarantee that malware won't get through.
    I saw you mentioned email. If the email server is internal, that doesn't require internet access. If it's office 365, it's easy enough to allow that traffic and restrict the rest. Not sure what your second use case was

    AV isn't a guarantee, correct, but I would think it shouldn't be disregarded altogether.

    It seems these systems are a real weakness
    Reply With Quote Quote  

  18. Senior Member
    Join Date
    Jul 2015
    Location
    Liverpool, UK
    Posts
    295

    Certifications
    A+, Net+, Sec+, ITIL v3, MCSA:2008/2012, MCSE:CP&I, CCNA R&S/Cyber Ops, MCITP:EDST/EDA
    #17
    Even if you only email traffic through the firewall, malicious files can still end up on the machine via email.
    Reply With Quote Quote  

  19. Senior Member
    Join Date
    Sep 2016
    Posts
    132

    Certifications
    CCNA Security, CCNA R&S
    #18
    Quote Originally Posted by Pseudonym View Post
    Even if you only email traffic through the firewall, malicious files can still end up on the machine via email.
    I think you're missing my point, but it's okay. I appreciate the responses
    Reply With Quote Quote  

  20. Senior Member
    Join Date
    Jul 2015
    Location
    Liverpool, UK
    Posts
    295

    Certifications
    A+, Net+, Sec+, ITIL v3, MCSA:2008/2012, MCSE:CP&I, CCNA R&S/Cyber Ops, MCITP:EDST/EDA
    #19
    No, I think you're missing my point.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks