Yikes - PC based Point of Sale systems and botnets
I own a small Grocery Store and am starting up a new service business and although Point of Sale systems could be helpful, we are too small for the commercial units (IBM - $3K/month lease) and the security on the PC based units were never that good in my opinion. Especially for Merchant Services -- always used a dedicated credit card processing terminal.
Turns out my concerns were not unfounded -- from
Ars Technica:
Credit card fraud comes of age with advances in point-of-sale botnets
Underscoring the growing sophistication of Internet crime, researchers have documented one of the first known botnets to target point-of-sale (PoS) terminals used by stores and restaurants to process customers' credit and debit card payments.
The botnet remained active at the time of writing and had compromised more than 20,000 payment cards since August, researchers from IntelCrawler, a Los Angeles-based security intelligence provider, told Ars. The researchers arrived at the findings after infiltrating one of the control servers used to send commands to infected machines and receive pilfered data from them. A recently captured screenshot (above) showed that it was controlling 31 machines that the researchers said belonged to US-based restaurants and retailers. Some of the infected machines are servers, so the number of affected PoS devices could be much higher. The researchers have reported their findings to law enforcement agencies that they declined to identify by name.
PoS-based hacking is nothing new. The best-known incident stole data for more than 146,000 cards after infecting 200 terminals used at Subway Sandwich shops and other small merchants. According to federal prosecutors, the criminals behind that intrusion infected one or more servers with "sniffing" software that logged payment card numbers and sent them to a remote server. Although the now-convicted crooks were able to install a backdoor on the computers they accessed so they could change configuration settings and install new programs, there is no evidence of a botnet that actively controlled the infected machines in lockstep.
Keep each system separate. Use a stand-alone machine for CC processing, keep your POS register (if you have one) de-coupled from the internet. They
are out to get you and being the person responsible for the harvesting of a couple dozen credit card numbers in this small community could kill a business' reputation. There is a lot of leverage to be had by keeping things old school. Less hassles...
Posted by DaveH at December 6, 2013 9:15 PM