Cybercriminals represent the biggest threat to our money and privacy as people increasingly carry out the biggest bulk of business transactions and store a lot of PII electronically. With modern credit and debit cards that have advanced security features, POS systems (Point-of-Sale) terminals remain the weakest link in the electronic payment security ecosystem.
Looking for POS Software? Check out SoftwareSuggest’s list of the best pos software solutions.
Point-of-Sale systems become exposed to cyber-attacks for the same reasons that any Internet-connected system would be vulnerable to such an attack: weak passwords, insecure remote access, obsolete software, the possibility of malware infection and/or improper configurations.
Malware infection is by far the most effective and commonly used method by cybercriminals to target Point-of-Sale terminals. Currently, there are more than a dozen known types of RAM-scraping malware that target point-of-sale systems. POS machines used in the retail industry are a common target of cyber-attack. A single retail POS machine can provide a hacker with data on thousands of credit cards over a few days, a couple of weeks or months – and as practice shows it takes an average of 87 days to spot a data breach after successful network intrusion.
This only means hackers often have enough window to harvest users’ cards by use of malware infection as a long-term data ex-filtration method before they are detected and shut down.
One of the biggest POS systems attacks by cybercriminals has been in the hotel industry. Connecticut-based HEI Hotels & Resorts reported a malware attack on 20 of its hotel portfolios in mid-2016. The attack lasted more than a year. Marriott International, Starwood, Hyatt, and Intercontinental are the hotels managed by HEI that suffered the data breach. HEI attributed the stealing of information including names, card numbers, card verification codes and their expiration dates to malware placed in their system sometime in March 2015.
Omni Hotels & Resorts and Kimpton Hotels & Restaurants also reported similar credit card data breaches around the same time – potentially organized by the same group of actors. Which begs the question:
Why are Hackers Increasingly Targeting Hotels and Their POS Systems?
Known vulnerabilities that hackers can easily exploit
The cyclical nature of the hospitality industry makes its vulnerabilities considerably predictable to cyber attackers. POS systems in this industry characteristically enter the spotlight during the typical holiday freeze periods associated with little activity and low vigilance levels. Threat actors take advantage of the general laxity in system administration and network perimeter defense and install RAM scrapping malware on the Point-of-Sale terminals.
Notice that hotels and restaurants typically delegate their POS security to third-party vendors such as system integrator, which creates the significant risk of insider threat or misconfiguration errors.
In any case, the threat actor will exploit the slightest system vulnerabilities including the human element to launch an attack. This only serves to underscore the need for continuous monitoring of the risk environment in and out of season. That’s why it’s advisable to work with which helps you configure and monitor trusted and secure remote access channels properly into your POS network while enabling you to detect uncontrolled ways of remotely accessing your infrastructure and to detect suspicious activity on software and network level. Meaning you can take proactive measures to ensure your system doesn’t get breached.
Large attack surface and high number of transactions involved
Hotel chains are by nature vulnerable high-value targets. They have distributed enterprises, which inherently provides a vast attack surface that cybercriminals can take advantage of. Many of those that have been breached in the recent past are transnationally known brands, having a lot of customers from all around the world.
Such targets are naturally extremely attractive to cybercriminals because of a couple of reasons. One, they may cover very large geography which is synonymous with a large attack surface. And two, their customers (cardholders) are traditionally guaranteed to have sizeable balances on their cards since a good number of them are wealthy individuals. Stealing such a cardholders’ identity and payment information may mean a highly lucrative opportunity to a cybercriminal.
An investigation into the POS breach at Omni Hotels & Resorts revealed that the criminals used the information stolen in the hotel’s breach to make fraudulent purchases for a while. One hacker was found to have sold over 50,000 credit card numbers related to the attack at Omni. A large number of transactions typically carried out by hotels and restaurants is a key impetus for the attacks.
Luxury and Boutique Hotels – Huge amounts of money to tap
Luxurious hotels and other hospitality outlets transact huge sums of money per customer. Intercepting such a customer’s credit card details means the hacker can clone the credit card, steal the customer’s money online and even empty their bitcoin wallet.
An average attacker can do all these quite simply once they breach a single POS machine within the target hotel’s network by infecting the terminal with RAM Scrapping Malware.
In some cases, the threat actors attack POS systems infrastructure from the back-office system, Hotel PMS, ex-filtration customer’s data directly from its databases.
Once this is done, the invader can virtually do whatever they want with the victim’s money. They are able to check the bank account balance, make withdrawals and even change the stolen debit card PIN number for banks that allow for PIN resets via their websites.
Huge Privacy Risks – Hotels traditionally collect a lot of customer information
The hospitality industry is a goldmine of information about customers. In this age where privacy protection is a top priority in different areas, businesses in the hospitality industry that collect and keep lots of information about their customers become high-value targets for identity thieves, such as scans of IDs and various PII, credit cards details, insurance, and travel plans, etc.
Once they have such personal information, they can drain the customer’s bank account, open other utility accounts, run up charges on the customer’s credit cards; or even get medical care on the victim’s health insurance. Further, an identity thief might file a tax return in the stolen name and obtain the person’s tax refund. Such cybercriminals can use such information to perpetrate cyber espionage – putting lots of businesses and institutions at risk.