It’s easy for retailers to join the POS massacre and make their business a cybercrime victim – these simple steps explain how.
1) Don’t train your employees. According to the Verizon Breach Report 2015, social engineering is a tool loved by cybercriminals when it comes to POS breaches. Simple calls can trick employees into providing the password data cybercriminals need to remotely access a POS system, but this is harder for the criminals if your workers think twice about their behavior. If you want to make it easy for cybercriminals, encourage your employees to casually click on social media links and email attachments in the workplace, especially if they are using POS-equipped machines.
2) Avoid password maintenance. Once a POS system is installed, avoid changing the default system password. Also, make all employees use this default password login to the machine. If an employee ceases to work for the business, make sure his/her password remains on the system to make it even more vulnerable.
3) Say ‘no’ to lock-down connections. Make sure you have open Wi-Fi systems, and no firewall, to provide cybercriminals with easy access to your network.
4) Easy physical access. Since cybercriminals only need a short window of time to tamper with a POS system, make sure your POS machine is not staffed at all times. Make sure you have no physical barrier around the POS machine, these could limit a customer’s ability to interact with any credit card readers or USB ports on the machine itself.
5) Ensure the core operating system of each machine is outdated. Make sure your employees do not know a thing about Windows systems and application updates.
6) Don’t bother installing specialized POS security software. Attacks on retailers are driven largely by sophisticated malware, so POS-dedicated protection should be avoided if you want to get a breach. To safeguard businesses from the POS fraudster tricks, Kaspersky Lab has introduced Kaspersky Embedded Systems Security – a solution designed to protect payment card systems. Remember, if you want to ruin your business, be sure to avoid this software.
7) No web access management. With Kaspersky Small Office Security, business owners can prevent employees from visiting certain types of website (e.g., social media) and from downloading programs. However, if you wish to be less secure, avoid using this. Instead, allow your employees to browse the Internet using your POS machine.
8) Don’t encrypt or backup. In many countries, any business that saves customer data is required by law to encrypt it. But if you wish to ruin your retail business, avoid encrypting sensitive payment data. Also, make sure that all business-critical records are not backed-up to an external hard-drive or cloud repository.
With new countries, including the USA, moving to EMV cards, the world is becoming more and more secure. This gives hackers even more reasons to target ill-prepared POS systems. To be on the target list and to lose the game, retail and restaurant organizations should ensure they have not done everything possible to keep their customers’ card data safe and sound.