The holiday season was marked with a huge data breach, and that was on hard wired registers. But sometimes when you swipe a credit card, you may not need to wait in a long line at the checkout counter because the checkout counter may come to you.
Mobile point-of- sale (POS) devices, which are often iPods or iPads with a card reader attached, allow employees to complete payment card transactions on the store floor. These devices help retailers improve their efficiency during the checkout process, but they also may bring risk that merchants weren’t expecting.
As a managing consultant for an information security company, I often perform penetration testing for businesses. Penetration testers, also known as ethical hackers, are hired by businesses to break into their networks and applications to help identify and remediate vulnerabilities in security.
Recently, I was hired to ethically hack several retail businesses, specifically targeting mobile POS technology that was installed on Apple iOS devices. The device was a card reader connected to an iPod and contained custom-built software that enabled employees to process payment card transactions. Simulating a real-life criminal, I jailbroke the device, which gave me control of its operating system.
That was when I noticed the software installed in the device did not encrypt information the moment a card was swiped. Encryption makes data unreadable, so if a device fails to encrypt payment card information, even if only for a few seconds, a hacker is able to access it.
To steal the information, I planted custom-built malware, which pulled numbers as the cards were swiped, onto the device. Within 20 minutes, I stole the payment card information of hundreds of customers — information that a real criminal could sell on the black market.
My research revealed a lurking data breach danger for retailers who use mobile POS devices, especially for large retailers that create custom mobile POS software using iOS devices to integrate with their existing backend systems. If security is not taken into account during the development and implementation of these devices, retailers could face a damaging data breach.
Securing the Business
So what security controls are needed to help prevent this kind of attack?
It begins by choosing the right card reader. Some retailers prefer to install a less costly reader, one that requires special hardware to encrypt information. Instead of purchasing the hardware, they opt to build encryption into their custom software application, a decision that could place customers at risk because payment card information is not encrypted in the hardware the moment a card is swiped.
Other tips for retailers include:
Hold security awareness training for all employees, even temporary workers, so that they are aware of best practices when it comes to security and can spot any red flags that may indicate a breach.
Ensure Payment Card Industry Data Security Standard (PCI DSS) compliance, a security requirement for all businesses that store, process or transmit payment card data.
Developers and businesses should have penetration testing performed on all mobile devices and applications before they are put to use.
Have a risk assessment performed on all networks and applications to identify other security controls that might be needed to protect sensitive information. For mobile devices, this may include technology that can isolate a device from the rest of the network if that device is compromised.