POS Fraud: How Hackers Strike

New Indictment Highlights Growing Concerns, Patterns
POS Fraud: How Hackers Strike
Four Romanian suspects were indicted by the U.S. Department of Justice earlier this month for their alleged connection to a multimillion-dollar point-of-sale fraud scheme. [See Four Romanians Charged for POS Fraud.]

See Also: Public, Private & Hybrid Cloud: Why Compliance (Done Right) is the Easy Part

Investigators believe hundreds of U.S. merchants, including 150 Subway franchises, and more than 80,000 U.S. consumers were likely victims.

The defendants are accused of war-driving - a hacking method that involves remotely scanning for open or vulnerable Internet connections to POS systems. Once a weak system was detected, the four allegedly hacked internal computers and installed keylogging software onto the POS systems. In many cases, according to the indictment, they also installed Trojans, which allowed them ongoing access to the systems, giving them the ability to install and re-install malware over time.

Between 2008 and May 2011, Adrian-Tiberiu Oprea, 27, Iulian Dolan, 27, Cezar Iulian Butu, 26, and Florin Radu, 23, are believed to have remotely hacked POS and checkout systems to steal credit, debit and prepaid card data. According to the charges, card data they compromised resulted in millions of dollars in unauthorized transactions.

Merchants at Greatest Risk

The news is just one in a growing line of POS-related card fraud schemes. From the Michaels POS PIN pad swapping scam, which hit in May, to the Save Mart Supermarkets self-checkout breach announced in the last two weeks, merchant-level card security is garnering new attention.

McAfee consultant Robert Siciliano says coders, programmers and criminal hackers know how to access dedicated ports used for remote servicing: "ATMs, POS and just about everything connected to the Internet."

Anyone with inside knowledge of payments can easily hack a POS system. "Then they simply use tools to crack a Windows remote desktop - defaults at port 3389 - program's password, and they are in," he says.

The scam is easy to pull off.

"Many retailers purchase POS devices that come complete with operating software," says John Buzzard of FICO's Card Alert Service. "Any low-level criminal can perform 'war driving' around any neighborhood to see how many Wi-Fi networks are available in any given location," he says. The objective is to find unsecured network IP addresses that are serving as the IP address for a retailer's POS system."

Protecting the Network

Buzzard notes the ease with which crafty hackers can penetrate Internet connections. Even with a secure Wi-Fi network, it's easy for hackers to break in by using randomizing programs that provide backdoor access, "especially if there is no lockout provision for failed access attempts," Buzzard says.

Internet printing protocol, often used for remote printing, also offers fraudsters an easy in. The convenience remote printing provides also sets the stage for easy attacks.

Once fraudsters get in through those remote-access doors, they can install keyloggers or RAM scrapers, which try to recover deleted data from cached files lingering on network-connected PCs. "That's why it's even a good idea to destroy the RAM inside network printers when they are taken out of service," Buzzard says. "There are just too many places for sensitive data to fall into the wrong hands these days."

Buzzard says banking institutions can urge merchants to take steps to secure their networks and connected systems. These simple precautions can make all the difference:

  • Never affiliate the business name with the name of the Wi-Fi network.
  • Upgrade POS equipment and software regularly, and continually change device passwords. "Not only do the retailers continue to utilize the same POS equipment for as long as it will last - think: no upgrades that improve security - but they often make the fatal mistake of not changing the factory default passwords on the devices, making them incredibly easy to hack in to," Buzzard says.
  • Ensure their payments systems comply with Payment Card Industry Data Security Standard from end to end. Constantly test the integrity of POS systems and networks, as well as all access points.
  • Monitor network traffic. "Red flags should be raised any time there is evidence of incorrect password attempts or unusual network traffic," Buzzard says.

"It's better to invest now in the security of your brand before someone comes along and tarnishes your corporate image," he adds.

About the Author

Tracy Kitten

Tracy Kitten

Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as the Executive Editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.

Around the Network