Point of Sale Terminal

US CERT Warns About Point-of-Sale Malware

With news of the breach of big-box retailer Target Inc. still in the headlines, the U.S. Computer Emergency Readiness Team (CERT) issued a warning about the danger posed by malicious software targeting Point of Sale (POS) systems.

Point of Sale Terminal
US CERT warns that Point of Sale terminals are vulnerable to malware infection.

CERT issued an advisory (TA14-002A) on Thursday asking POS owners to take steps to secure the devices, and telling consumers to beware.  The warning comes after a string of reports that suggest that malware attacking point of sale systems is on the rise.

In December, researchers from Arbor Networks said they had detected an “active PoS compromise campaign” to steal credit and debit card data that used the Dexter and Project Hook malware.

Dexter is a Windows-based program that was first discovered in December, 2012 by Seculert, an Israeli security firm.

It is still not known whether malware played a part in the huge theft of credit card data from Target Inc. That company admitted last month that credit card information belonging to some 40 million customers was stolen from its network, including the credit- and debit card numbers, card holder’s name and PIN codes for use with debit cards.  The source of that breach isn’t known, but speculation has been on Target’s Point of Sale systems.

Security experts have noted that PoS systems often run versions of commercial operating systems like Windows and suffer from many of the same security woes as those systems, including exploitable software vulnerabilities, weak authentication and susceptibility to physical tampering. 

Writing on Thursday, CERT advised owners and operators of PoS systems  to increase the security of POS systems by employing strong passwords and getting rid of any system default passwords on their PoS systems. Point of Sale terminals should be updated to the latest software version available and use firewalls to block access from outside and within the corporate network, and anti-malware software to stop malicious programs, whenever possible. Finally, local access using USB thumb drives or other external media should be prohibited, CERT said.