Point-of-Sales Vulnerabilities

July 24, 2008

The Target: the wireless point-of-sale (POS)

The wireless POS system consists of one or more networked wireless POS end-points located at check-out stands and the internal on-site transaction server which connects the system to the payment authorization source. The transaction server also interfaces with the inventory control system.

• Transaction initiated at wireless POS checkout stand

• Transaction information sent to wireless access point, to transaction server, to authorization source

• Transaction authorization returns to POS checkout to complete transaction

Note there are vulnerabilities at each point.


From an architectural perspective a POS end-point runs an operating system, either a version of Windows or Linux designed to limit functionality – meaning not all O/S functions are available to the logged-in user. These devices are physically divided into two different components:

• Card Reader – system that reads the card as it is swiped.

• Transaction Unit – system that sends the card information to an authorization source.

The information read at the POS will be sent to an authorization source (e.g., Amex) through the transaction unit. In addition the transaction information of the purchase (payment, item, quantity, etc.) is sent over the network to a branch server for inventory control and auditing purposes.

Normally the information sent between the retailer and the authorization source will use strong encryption to protect the information; however, network security between the POS and the internal branch servers may or may not be encrypted and really depends on the configuration.

Assuming that the retailer does encrypt the information sent between the POS and the branch server, the real vulnerabilities then exist at the POS end-point, the wireless access point, and the branch server itself.

• Because a POS terminal reads the card information, performs the transactions and receives the authorization code, information may be stored for short periods either in flash, static ram or the hard-drive (e.g., a few hours until close of register, etc). Therefore, malware could be installed directly on the POS to intercept the transaction data as it is being sent to the authorization source or the internal branch server for storage.

• Branch servers are normally used to collect information from multiple POS terminals, thus, they often will be running a database of some form or another. A hacker wishing to obtain access to this information would have to compromise the server first, and then likely exploit database encryption vulnerabilities.

Because the target is often cardholder information, hackers are developing strategies that involve breaching wireless networks – mainly because a POS requires either direct physical access or access via the network, thus, it’s easier to penetrate than cracking the corporate firewall and obtaining access via the external gateway.

Penetrating a wireless network and planting targeted malware only recently emerged on the scene and is expected to increase; especially being that cardholder information is one of the primary targets of interest when it comes to data of value.

Once the intruder has accessed the wireless network the next challenge would be to compromise the POS or the Branch server. There are a number of ways and vectors in which this can be accomplished in a relatively short period of time:

• Privilege escalation: Elevating user privileges is a method that hackers use to gain access to other parts of the system that may require a higher level of validation. Vulnerabilities that allow this condition to occur are often the culprit behind most escalation attacks.

• Hacking specific Windows services (IIS, SQL, Apache, etc): Gaining access via Windows services by exploiting specific vulnerabilities that allow remote arbitrary code execution.

• Buffer overflow attacks: Overflowing the buffer of an application will cause a condition to occur, that in some cases will allow for arbitrary code to execute with remote shell binding capabilities. Many of these methods if done correctly and the systems are somewhat vulnerable, often will work.

One popular method being used today is the development of targeted malware to extract credit card information and other sensitive data directly from the wireless POS, AP, or the Branch server .

Some recent breaches have led to malware being physically installed on key servers and the avenue for attack was through a wireless network at a field office.

One theory on how this malware would work, is by capturing the details in real-time by installing Trojans that directly interact with the application on the POS terminal, thus, capturing the customer’s information in real-time as it is sent to the authorization source or the branch server.

Once the malware has captured the necessary data it can open a channel with a command and control server and upload the stolen information – it is often found that the C&C server will also be connected to thousands of compromised PCs; subsequently distributing the stolen data to be stored on a consumer’s PC. The chilling part is any consumer’s PC can instantly become a drop-box for stolen corporate information once it has been compromised by hackers.

Hiding the evidence

A next step for the attacker after compromising the POS would be to hide the obvious signs that the system had been tampered with, thus, installing a root-kit is one way to hide any traces associated with the attack. Full kernel mode persistent root-kits are the hardest form to detect.

Therefore, the hacker is completely eliminating the possibility of detection by the means of security scanners, anti-virus applications or any other security tool focused on finding vulnerabilities. This way the breach can remain hidden for as long as possible before anyone considers the possibility a POS is breached.