The Achilles Heel In Retail And Hospitality Cyber Security

New iSheriff White Paper Reviews POS Device Vulnerabilities

iSheriff, the industry leader in cloud-based Enterprise Device Security, recently released a report on Point of Sale (POS) device security and its impact in the retail & hospitality industries: Point of Sale = Point of Entry: The Achilles Heel in Retail & Hospitality Cyber Security. In this report, iSheriff compares publicly disclosed breach data to the National Retail Federation’s list of top retailers, its Top 250 Global Powers of Retailing, and finds:

• 50% of the top 10 global retailers have been breached
• 45% of the top 20 global retailers have been breached
• 38% of the top 50 global retailers have been breached

The US and UK are the geographies with the highest percentage of retailer breaches, with 48% breached in the US and 31% in the UK.

“Cybercriminals and payment card data are like dogs and bacon, they just can’t get enough. With POS devices now handling most of the payment card transactions around the world for retailers, restaurants, hotels and grocers, these systems are in the cross-hairs,” commented Paul Lipman, iSheriff CEO. “Compromised POS’s were the source of major data breaches at Target, Neiman Marcus, Subway and many others, and there are no signs the security risks are slowing down.”

In spite of large investments in security technology and top notch security personnel, retailers and hospitality firms have an Achilles Heel unique to their business – the POS device. There were close to 35 million POS terminals in use around the world in 2014, with the number of mobile POS devices in the US alone expected to reach 7.7 million by 2020, according to a study published by Research and Markets.

At the simplest level, a POS device reads information off a customer’s payment card, checks for sufficient funds, transfers payment, and records the transaction. To perform these operations, a POS device combines: (i) a microprocessor; (ii) an operating system); (iii) application software, a cash register, inventory management or loyalty program application; and (iv) peripherals, including payment card readers, keypads, or printers.

From a security perspective, a POS device is susceptible to the same security threats and vulnerabilities as any desktop PC or mobile laptops. However, POS devices also face three primary security vulnerabilities unique to their use and design:

• POS operating system vulnerability. POS devices – like any computing device -- run an operating system, typically Windows or Linux, that is susceptible to compromise. However, POS systems are often running older OS’s such as Windows XP, which are updated and patched less frequently, and therefore left more vulnerable to attack.
• POS-specific malware vulnerability. POS specific malware is widely available on the black-market and is installed on the device through a traditional network vulnerability. Target’s record-breaking data breach, for example, came through the hacked credentials of a Target refrigeration vendor who had access to Target’s corporate network.
• POS data transmission vulnerability. While payment data must be securely transmitted between the bank and merchant in compliance with PCI standards, the information is first handled within the POS device. It is there that it is susceptible to interception, before it is safely encrypted. Cyber-criminals have targeted this opportunity just after a card is swiped to successfully steal data.

Unfortunately, data breaches are likely to continue in the near term for two reasons. First, stolen card data has a limited shelf-life. Credit card companies are quick to spot anomalous spending patterns, as are observant card owners. This means that criminals need a steady supply of fresh card numbers. Second, as the number of breaches increases the availability of stolen data reduces the price it will command. The past three years have witnessed a decline in the going rate for stolen cards. In order to achieve desired economic returns, hackers are increasing the frequency and scale of their attacks.

About iSheriff
iSheriff is a leading cloud-based, enterprise device security platform used by more than 3,000 organizations around the world. Our global cloud network, award winning security, and SaaS delivery model provide an integrated service to protect all enterprise devices – including laptops, servers, tablets, point of sale devices, industrial equipment and emerging “internet of things” technologies. Simply put, iSheriff delivers more powerful security that is easier to manage and more cost efficient than our competition. We are proud to be recognized by leading analysts and industry publications, including SC Magazine, Network Computing and IDC. In February 2015, Virus Bulletin's VB100 independent comparative testing named iSheriff the most effective solution against new and emerging malware. For more information, visit www.isheriff.com