Threat Level: green Handler on Duty: Tom Webb

SANS ISC: InfoSec Handlers Diary Blog - How Secure Is That Point-of-sale Device? InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

How Secure Is That Point-of-sale Device?

Published: 2007-08-27
Last Updated: 2007-08-27 11:45:21 UTC
by Scott Fendley (Version: 1)
0 comment(s)

Over the past few years, "identity theft" has come into common use among consumers and mainstream media.  The payment card industry has published data security requirements to help reduce the risk for merchants and the banks.   And many states such as California, Arkansas and others have even put together laws requiring notification should a data theft or other exposure occur while information security professionals (like you or me) have done what we can to limit the exposure for our respective organizations.

So a normal consumer might feel reasonably confident that their information is protected, especially when using point-of-sale (PoS) devices.  Think again!

These PoS systems have a number of security concerns that were brought to the public today by  Dr. Neal Krawetz in a white paper located at Hacker Factor. Though the payment card industry has published security standards, the white paper shows that the security of financial infrastructure continues to be reactive or almost a complete facade in some instances.

All of the vulnerabilities discussed in the white paper have been known by the industry for many years, however were not recognized as risks or have been slow in addressing these risks.  So will the industry learn how to best protect this type of information and not soften their stance on security?  Will the industry help small businesses update their equipment and procedures to reduce their risk, or will they continue to focus on larger organizations?

If you handle credit cards in your organization, especially using point-of-sale devices, you should read this white paper as it contains a number of valuable questions which should be asked of PoS terminal, and branch server vendors.

So the next time you visit that gas station, video store, fast food joint, or department store, you will be left wondering whether the retailer has the correct equipment to protect your card information, or the procedures to clear stored information regularly to limit the risk.

These types of concerns are not limited to PoS devices as there are some big risks that go along with ATMs (such as reprogramming them to give 20s for the cost of 5s, changing phone numbers, etc).  Throw in the continued growth of debit cards (which have direct access to your money), and I can see a lot of problems for the near future.   Hopefully the PCI rules will continue to get tighter and that more and more retailers and banks will either meet the standards or exceed the requirements.

In the meantime, I think I will be using cash for a long while to come.

Keywords:
0 comment(s)
Diary Archives