A point-of-sale (POS) intrusion is when an attacker tries to capture payment data by compromising the computers/servers running the POS applications. Such attacks can originate from a social engineering attack (like a phone call to gain credentials) to a more sophisticated mechanism involving multiple steps. Trends from the past three years show a constant growth in POS attacks (2013 had 173, 2014 had 196, and 2015 had 396).
Commonly, POS intrusions are due to use of weak authentication controls for remote access to systems where sensitive information, like user passwords or credit card details, are stored. For smaller organizations, attackers often conduct direct attacks on the POS system by guessing or brute-forcing the password, possibly because of weak password complexity policies. Attacks on larger organizations often include multiple steps where attackers compromise other systems before targeting the POS.
A major factor in past compromises was use of default credentials, but the recent shift has been toward stolen credentials. Other factors that contribute to the success of these breaches are a general lack of security controls and audit logs in POS systems, insufficient network segmentation, and vulnerabilities in the POS device software.
Architecture analysis assessments can help detect these weaknesses and provide remediation guidance to prevent them from being exploited in a breach. Architecture analysis helps identify weak or missing security controls and is therefore an effective approach to analyze access to POS systems from various perspectives. For example, it can assess the password complexity policy, credential storage, and multifactor authentication controls to determine if they are adequate to prevent these types of attacks on POS systems. The analysis can also identify dependencies on other components and systems to highlight weaknesses that can be exploited if other internal systems have been compromised. This was a common attack vector for large-scale POS breaches, according to the Verizon report.
Architecture analysis identifies not only technical failures but also process-oriented loopholes. As an example, it can analyze if the process for adding or modifying user access must follow a sequence of approvals and verification checks, and whether these are audited to avoid abuse.