POS Systems: The Proven Vulnerabilities

 POS-vulnerabilitiesAsk yourself: if the retail infrastructure defense fails, what will be left to protect the POS systems?
Retail infrastructure is very complex and thus hard to secure. Retailers cannot remain wholly unaffected by industry-fellows experience, and the attempts to define and implement security measures are inadequate or incomplete.

Let’s go back in time ten years ago and analyze how hackers have breached established retail chains in the US. All efforts to become compliant with Payment Card Industry (PCI) security standards made retailers overlook real POS system vulnerabilities.

Wall-Mart 2005-2006

In 2005, the cyber criminals targeted Walmart’s development team, which oversaw coding the company’s point-of-sale system for processing credit and debit card transactions. How did they succeed?

1 Using Stolen credentials to install malware

The attackers have connected to one of the Walmart servers through a VPN account assigned to a former Walmart network administrator in Canada, and remotely installed L0phtcrack, a password-cracking tool.

When trying to run the program, the server crashed and raised a red flag to the Walmart’s security team who started investigating the breach. With a 7-hour timeframe to grab data, the attackers managed to steal two more accounts and while Walmart’s security team was striving to identify and stop the breach, they used the stolen accounts to access the system and steal information.

When reviewing the VPN logs, the security team investigating the breach discovered not only that the breach started a few months ago, but that the company’s server logs recorded only unsuccessful log-in attempts, not successful ones, hardening a detailed analysis of the security breach.

2 Learning the POS system communication flow

Using the stolen accounts, the hackers gained access to one of the POS technical specification, POS Store Systems Technical Specifications TLOG Encryption and Financial Flows, which contained the detailed communication flow chart of the transaction process, from the moment the customers swipe their credit/debit cards into the store’s card reader to the point the data transverse the network to be authenticated by the card issuer.

3 Steal unencrypted data

Attackers stole at least four years’ worth of customer purchasing data, including names, card numbers and expiration dates, that were housed on company networks in unencrypted form.

Another powerful weapon in the hands of the attackers was the usage of the same access credentials across every Walmart store nationwide: to servers, transaction processing systems, and other network-connected devices handling sensitive information. Once they compromised a point-of-sale controller or in-store card processor at one store, they could have easily gained access to the same device at every Walmart store nationwide.

From the very inception of the attack, the black hats knew what they were after; they were all over the point-of-sale systems; and the target offered enough glitches to ensure a successful POS breach.
Wall-Mart Vulnerabilities Recap:

  • Poor accounts security policies. Walmart has failed in closing a network administrator account of an employee who left the company.
  • Privileged account management was disregarded. The retailer should have granted access into the system only on a business need-to-know basis.
  • Incomplete audit trail. Recording only unsuccessful logins instead of considering logging successful events as well.
  • Unencrypted data. Data traversing the Walmart network was unencrypted.
  • Network not divided into segments. When the attack took place, the retailer’s network was not divided into segments, making the attack much easier.
  • No P2P encryption. The data was not encrypted from the plastic swiped into the card reader all the way to the financial institution approving the transaction.

TJX 2005 -2006

In 2005, Albert Gonzales broke the point-of-sale system of a Marshall’s clothing store in Minnesota. What were the glitches that allowed him to do that?

One year prior the breach, TJX was issued a report on its security compliance that identified multiple security deficiencies, including specific PCI DSS violations.

Hackers attacked an antenna at the store to grab data as it streamed over the store’s vulnerable Wi-Fi network, which they used to gain access to the central transaction database of TJX, Marshall’s parent company. There, they installed a traffic capture/sniffer program to record sensitive cardholder data as it was transmitted in clear (without encryption) by TJX to the card’s issuer for transaction approval.

To remain undetected, the intruders engaged in a very popular tactic, post-event cleanup deleting and tampering with log files, moving data to hide their activity.

This way they managed to steal 94 million accounts and wired fraudulent transactions on those accounts in 13 different countries.
TJX Vulnerabilities Recap:

  • Unprotected WI-FI network
  • No P2P encryption. The data was not encrypted from the plastic swiped into the card reader all the way to the financial institution approving the transaction.

Target 2014-2015

In the winter shopping season of 2013, cyber criminals had gotten the Personal Identifiable Information (PII) of 70 million customers, along with data for 40 million credit cards and debit cards. How was this even possible?

1 Stealing vendor’s credentials to gain access

Using email phishing, attackers have installed malware to the Target’s HVAC vendor, Fazio Mechanical Services, and infected the vendor’s network with malware that steals credentials. Using the stolen credentials, they accessed the Target-hosted web services dedicated to vendors.

2 Installing malware to infiltrate in the retail infrastructure

Although the vendor’s data connection with Target was used exclusively for electronic billing, contract submission, and project management, the hackers exploited the web app vulnerabilities. They modified the PHP code of the web app by adding a web-based backdoor which allowed the hackers to upload files and execute arbitrary operating system commands and find the servers that held customer information and hopefully (for them) credit card data.

3 Stealing retailer credentials

Hidden in plain sight they made some reconnaissance, exploring relevant targets to propagate the malware. Thus, they connected to Target’s Active Directory, which contains data of all Domain members (users, computers and services) and queried the Active Directory with internal Windows tools using the standard LDAP protocol to get access credentials. They might have used the same process to find POS-related machines.

Having the names of their targets, the hackers then obtained their targets IP addresses by querying the DNS server. Unstoppable, yet having incomplete information to take control over the POS system, the attackers used the “Pass-the-Hash” attack technique to gain access to an NT hash token that would give them the power to impersonate the Active Directory administrator.

Don’t you think even for a second that they weren’t smart enough to take into consideration that the administrator might have changed the password at any time.They have seen beyond the horizon and took the proper measures to ensure their victory against the retailer.

Armed with black intelligence, they created a new domain admin account with the stolen token, using the same BMC’s Bladelogic Server Automation product username, to remain undetected when monitoring unusual access patterns.

4 Remotely accessing the targets

Having the domain admin credentials and privileged access, the attackers proceeded with their attack.

They had to overcome yet another obstacle: firewalls and other network-based security solutions that limited direct access to relevant targets, running remote processes on various machines in the chain, toward their relevant targets.

Using “Angry IP Scanner”, they detected computers that were network accessible from the current computer and then tunneled through a series of servers to bypass the security measures, by means of a port forwarding IT tool. Furthermore, they used their credentials in conjunction with the Microsoft PSExec utility (a telnet-replacement for executing processes on other systems) and the Windows internal Remote Desktop for remotely executing processes on the targeted servers.

Microsoft Orchestrator management solution allowed attackers to gain persistent access, which allowed them to remotely execute arbitrary code on the compromised servers.

5 Stealing customer sensitive data

Target was compliant with the PCI DSS requirement that states the following: „Do not store sensitive authentication data after authorization (even if encrypted). If sensitive authentication data is received, render all data unrecoverable upon completion of the authorization process”. Hackers could access the PII of 70 million Target customers, but did not have access to credit cards.

It was time for plan B. Tough decision, but it was the only one viable to succeed with their devious plans; the attackers decided to regroup and steal the credit cards directly from the Point of Sales themselves.

6 Installing malware on the POS systems

Being aware that it was their last chance to win the war, they installed Kaptoxa on Target’s POS machines to scan the memory of the infected machines and save any credit cards found to a local file.

7 Sending Stolen Data via Network Share

With malware fetching credit card data, they opened file sharing on a remote, FTP-enabled machine, using a Windows command and the Domain Admin credentials. It would periodically copy its local file to the remote share.

8 Extract stolen data via FTP

When the stolen data arrived on the FTP-enabled machine, a script was used to send the file to the hacker’s controlled FTP account using the Windows internal FTP client.

The POS system may not have been the initial target of the hackers, but after gaining access into the retailer’s IT infrastructure and passing over all security obstacles in place, they went right after the POS systems themselves, finally winning the battle against the retailer.
Target Vulnerabilities Recap:

  • Bad management of third-parties. Hackers initiated the attack using the vendor’s vulnerabilities.
  • Bad security hygiene. Poor security measures and implementation of well-known security practices.

Home Depot 2014-2015

Home Depot was one of the many victims to a retail data breach in 2014. The hackers used the same method to infiltrate into the system as the Target hackers.

They gained access to one of Home Depot’s vendor environments by using a third-party vendor’s logon credentials. Having the access credentials, they exploited a zero-day vulnerability in Windows, being able to pivot from the vendor-specific environment to the Home Depot corporate environment.

As the ultimate weapon to conquer and rule the POS system, the hackers installed RAM scrapping malware on over 7,500 self-checkout POS terminals which allowed them to grab 56 million credit and debit cards. Stealing the payment cards and selling them on the black market was not enough; they used the stolen email addresses in putting together large phishing campaigns.
Home Depot Vulnerabilities Recap:

  • Bad management of third-parties. Hackers initiated the attack using vendor’ s vulnerabilities.
  • Bad security hygiene. Poor security measures and implementation of well-known security practices.

Bottom line:
Fast-forwarding through the past ten years, we notice that the slow adoption of better security practices and the lack of security awareness encourages hackers to initiate multi-tiered attacks against retailers using the same old methods and techniques.
It is quite clear that any retailer who had taken reasonable precautions to secure their own POS systems by learning from the industry-related breaches and implementing the proper security measures would not have been vulnerable.