Keeping hackers out of your POS!

Keeping the hackers out of your POS!

Michael McKinnon, AVG Security Advisor

AVG.COM.AU

AVG.CO.NZ

http://www.avg.com.au/security-advisor/

http://www.avg.com.au/

http://www.avg.co.nz/

AVG.COM.AU AVG.CO.NZ

What are we looking at today?


1.The Problem

2.Attack Vectors

3.Types of Attacks

4.Solutions

Quick Overview

The Problem

Unlike shoplifters, cybercriminals set up camp and stay

there, stealing from retailers for extended periods of time.


PC based POS systems

• They are cheap, efficient and can be used for multiple purposes

• However, the PC has become the POS security “battleground”

+ +


Data breaches are still too easy!

Source: Verizon Data Breach Investigations Report 2012


96%

4%

Australian Retail Spend

Offline Retail Online Retail

Offline retail is the biggest cybercrime target

Source: NAB Online Retails Sales Index – July 2012


Infiltration of POS transaction data

There are lots of examples in the news…

Source: www.cio.com.au/article/436663/two_romanians_plead_guilty_point-of-sale_hacking/

Attack Vectors

There are 6 ways cybercriminals can gain entry into your retail

business…


The user manual says:

“Step 1. Change the default password”

BUT, it is far too common that these are not changed, or they’re

changed to someone else’s “default” password (which is widely

known)

#1. Default passwords


Which password is the most secure?

1. E56#av+Yb!

2. Password123

3. aaaaaAAAAA#####43

4. 123456

5. lucasjames


Answer: aaaaaAAAAA#####43

But why?

• 17 characters in length

• Contains upper and lowercase letters

• Contains numbers

• Contains a symbol

• There are 37 thousand billion billion billion possiblecombinations!

Learn other tips to creating a secure password here.

http://resources.avg.com.au/security_risks/how-to-create-a-secure-password-back-to-basics/


• Convenient and very common for providing remote support

• But, often poorly implemented with weak passwords

#2. Remote desktop access


• Wireless networks are convenient in retail environments, however

when they’re poorly configured, they represent a huge security

risk

• Data packets can be “sniffed” by nearby attackers

#3. Insecure wireless networks

http://resources.avg.com.au/business/wifi-security/


• Phishing is the sending of specially crafted emails to trick users

into divulging sensitive information. For example:

“Click here to see the details of your order” –> (login page)

• Handling email in a retail setting can be very dangerous!

#4. Phishing, spear phishing & whaling

http://resources.avg.com.au/spam/what-is-phishing/


• Social engineering means that gaining access to someone’s

computer only needs to be as hard as gaining their trust!

• What do you give for a 10th wedding anniversary…?

“I could have got her to click on anything I wanted!”

• It’s about customer service vs customer honesty

#5. Social engineering

http://resources.avg.com.au/security_risks/social-engineering/


• Modern retail layouts often remove the traditional

counter, exposing equipment to theft or tampering

• Disclosure of the makes and models, or other identifying

labels, can also compromise retailers

• Physical loss is no.1 risk for secure mobile devices

#6. Physical disclosure

Types of Attack

Malware and hacking are the most common attack methods used

by cybercriminals.


Common types of attack



Malware & Trojans

• Common varieties that cause general havoc include Fake Antivirus & ransomware

• Retail / POS specific – “RAM scrapers” (designed to exflitrate transaction data)

• Remote control Trojan or Rootkit (designed to remain hidden for future access)

http://resources.avg.com.au/emerging_threats/beware-of-fake-anti-virus-software/

http://resources.avg.com.au/security_risks/ransomware/

http://resources.avg.com.au/security_risks/ransomware/


• When combined with custom written malware, hacking is highly-

targeted and designed to avoid detection and remain in place for a

long time

• In 2011, Verizon reported that 81% of incidents utilised some

form of hacking

Hacking

Solutions

You may be surprised that security solutions are often simple and

inexpensive.


The solutions are NOT expensive



Tips & suggestions

1. Use strong passwords and change the default ones

2. Secure remote access with strong authentication

3. All wireless networks should use “WPA” or “WPA2”

4. Avoid spam email – use an Anti-Spam solution

5. Increase staff awareness of social engineeringtactics

6. Use endpoint protection on every device(antivirus and anti-malware) – AVG is a good choice!




http://resources.avg.com.au/business/wifi-security/

http://resources.avg.com.au/security_risks/social-engineering/

http://www.avg.com.au/ara_micro/index.cfm


Follow the money

• Cybercriminals tend to “follow the money”

• This means the types of attack are often predictable:

• Credit card data

• Private customer information

• Refund / returns policy

• Bank accounts

• Financial processes


Talk to your IT provider & stay in the loop!

• Ask them: “How are you keeping us secure?”

• Sign up to vendor notification / update lists

• Every six months, do a proper review of security


Thank you!

For even more information on retail security, visit:

avg.com.au/POS

avg.com.au

avg.co.nz

facebook.com/avgaunz

twitter.com/avgaunz

http://avg.com.au/pos

http://www.avg.com.au/

http://www.avg.co.nz/

http://www.facebook.com/avgaunz



https://twitter.com/

https://twitter.com/

Keeping hackers out of your POS!

Business

nzoffline retail

retail environments

retail setting

common types of attack

common attack methods

secure password

pos security battleground

attack vectorsthere