Usually, when we think of digital security breaches, it conjures thoughts of savvy and nefarious hackers stealing information online in some sophisticated way. But more often than not, some of the scariest vulnerabilities businesses face come from their hardware—and not just from computers and smartphones, but even from something as simple and seemingly safe as their credit card payment terminals.
If you take a look at how retail payments were made 10 or 15 years ago, there were three or four different instances all the way through the payment process, whereas now the payment ecosystem has become more and more complicated. On the payment side, you have things like mobile wallets, alternative payment systems, QR codes and so on. From the merchant side, you have payment providers that sit on top of the system, like Pay Pal and Square.
All of these systems have made the process more convenient but also more complicated and, potentially, less secure. Ten or 20 years ago, the main goal was to be PCI compliant, meaning that your payment system was tested once a year, which created the illusion that every part of your payment process is secure. Now, if you are a part of this ecosystem—if you're a big merchant, if you're a bank, if you're a payment provider, if you just sell default devices to this market—whoever you are, PCI clearly is not enough.
During a case study conducted during 2018 and 2019, Cyber R&D Lab found serious vulnerabilities in the retail industry's two biggest Point of Sales (PoS) hardware vendors, Verifone and Ingenico. The affected devices are Verifone VX520, Verifone MX series, and the Ingenico Telium 2 series, which featured two major vulnerabilities:
• Default Passwords – All hardware devices ship with manufacturer's default passwords, including PoS terminals—a Google search easily reveals them. Those credentials provide access to special "service modes," where hardware configuration and other functions are available. One manufacturer, Ingenico, even prevents you from changing those defaults.
• Executing Arbitrary Code – We found that these "service modes" contain undeclared functions after tearing down the terminals and extracting their firmware. For more than 20years, these "service super modes" have allowed undeclared access.
So what do these vulnerabilities mean from a practical standpoint? Once the terminals have been compromised, there are four main ways hackers can create some serious headachesfor businesses and their customers:
• Altering transactions
• Cloning cards
• Cloning terminals
• Planting malware to be used in ongoing and/or future attacks
Armed with this new awareness of the problem, we can start to think about steps we can take to prevent these types of attacks. But we also have to understand the overall landscape we're dealing with because the financial market has become extremely complicated.At a certain point, if youbecome a target of hackers or organized crime groups, being compliant will not be enough for you to protect your entities, your money, your customers or your reputation.
As a small- or medium-sized business, you might not have the time to conduct the types of security testing measures involved in our case study, especially when you consider that even the companies that did agree to it were part of a relatively small minority. Either way, you're rightfully focused on providing your customers with a great experience, including the convenience that comes from the wealth of payment options available to them. But that doesn't have to stop you from taking a few extra precautions.
The best place to start is by doing some simple research on those individual payment providers, keeping in mind that, at least in this particular case, no news doesn't necessarily mean good news. Among other factors, this might simply mean that they've yet to draw any interest from potential hackers, who almost certainly understand that the second mouse often gets the cheese. You can also reach out to them with a few simple questions:
• Do they conduct annual security assessments?
• Have they conducted antifraud red teaming and threat simulation?
• Have they been through a previous breach, and how did they address it?
That third question is particularly important. If you look back at the Internet of Things' early days, Square was one of the earliest mobile payment platforms, and it fell on the proverbial sword for those who came after. But they learned from their early mistakes and are now among the most widely used and most secure mobile payment platforms on the market.
It seems odd to think of credit cards as one of the least advanced forms of payment in the retail market. But progress was always inevitable, as are the growing pains that go with that progress. Whether it's credit card terminals, mobile payments, or any number of other options, the convenience they provide is only as good as the level of security they're able to maintain. But with a few simple, proactive precautions, you can strike the right balance for your business.