This article is an excellent reminder of why it is very important for retailers to move forward with the implementation of EMV/Chip-Pin card readers and the necessary associated Point-of-Sale software. Far too many retailers have hardware in place, but that the software to leverage this new technology.
It is also important to remember that value of timely patching of all systems, regardless of the card handling mechanisms in place.
I really like this timeline provided by the good people of OpenDNS/Cisco. It well represents the exponential growth in threats and attacks on retail POS over the last few years. It should create a sense of urgency for anyone who reviews it.
This is an interesting review of some of the challenges and pitfalls associated with POS security and related malware threats. There is also some strong product placement for Tripwire’s Enterprise solution for Point-of-Sale. I will admit that I utilized this product in a previous retail IT security position and believe it is a strong solution for POS change control and monitoring.
It is always concerning when new, more potent variants of POS malware crop up in the world. This is a good overview article for consumption.
Consider this post both a plug for attending BSidesDC and an endorsement of Ken Westin’s topic. I encourage anyone in the DC metro area to come out and participate.
Yet another POS breach to deal with, and this one from locations heavily visited during the summer vacation season. Please beware and take caution, especially in these tourist locations.
This is a disturbing continuing trend of breach issues with Sally’s and the POS industry at large. This is a great example of why it is important to be aware of the multiple ways a breach can occur and reoccur in an environment.
This type of Point-of-Sale malware will continue to be a problem as long as card transactions are transmitted from pin pad to the lane CPU in clear text. Hardware level encryption at the swipe is a good way to combat this type of CPU memory level attack, but that swipe must remain encryption all the way through the transmission process to the acquiring bank.