Point of Sale Terminal Protection - "Fortress PCI at the Mall"

Published: 2014-08-26. Last Updated: 2014-08-26 01:13:25 UTC
by Rob VandenBrink (Version: 1)
8 comment(s)

This is a very broad topic, but over the last few months I've seen some really nicly protected PCI termainls.  Especially since many POS environments are still running Windows XP, this is an important topic to discuss.

Things that I've seen done very well:

First of all, only allow access to the POS app - retail staff generally don't require access to email or the internet, at least not from the sales terminal.  Most POS systems I've seen are running kiosk setups, which removes explorer, the start button and kills all hotkeys.  I'm often able to break out of windows kiosk applications from the keyboard by using a hotkey combination that's been missed.  For instance, Windows+U calls utilman.exe in XP, if you replace utilman with cmd.exe you are in.  Be sure to account for hot-keys!

If you lock down the POS terminals such that a CMD prompt / start menu and so on are not accessible, then the classic "usb rubber ducky" or "teensy" keyboard as a usb key type attack - where you drop a usb key into and exposed port while making a purchase - is that much tougher.  If you can't get a cmd prompt or some field to enter commands, a malicious keyboard attack of this type isn't likely to succeed.

On that same note, use GPO or your endpoint protection product to lock down USB access.  Even if (or maybe especially if) a repair tech needs USB access, inserting a USB device should need a call to head office.

Use network protections:
The local router generally establishes a VPN to head office
The POS terminal should not have internet access
The POS terminal should have only limited access to head office resources (typically a small DMZ for data collection)
Similarly, only required head office resources should have access to the POS terminal
The POS terminal should not  be on the same network as or have access to the rest of the store.  For instance, guest wireless, security cameras, alarm systems and so on should all be in VLANs other than the POS VLAN, and none of those should have access to the POS (and vice versa)

For goodness sake, harden your store's firewall/router, and use a template (that you audit) so that you know that they are all configured correctly!  Hardening guides are available for most platforms, the Center for Internet Security's hardening guide for Cisco is a solid one to use as a guide if your perimeter device doesn't have a vendor supplied document.  Though if your firewall/router vendor doesn't have security guidance, maybe you should look at a different solution ...

If your POS terminal tries to connect to an IP that isn't yours, that's an IOC (Indicator of Compromise) - even a simple DNS query to a "different" server can be a giveaway.  If you see unexplained traffic, it's worth investigating - whitelisting stuff like this to make the alert go away is a BAD IDEA!

Use endpoint protections to your advantage.  That means AV, whitelisting and every other EP feature.  Don't install an AV product and leave it at the defaults, tune it for your POS systems.  While you can certainly circumvent AV using SET, Metasploit, VEIL and so on, that's a moving target.  What might work today to evade one AV vendor might very well not work tomorrow.  PLus you'll find that getting a generic application to evade AV is tough - most of the Metasploit evasion techniques top out at a fairly small memory footprint (4K in a lot of cases)

A distributed IPS is the way to go. With hundreds or in some cases thousands of terminals, you need an IPS local to each terminal to detect IOCs as early in the process as possible.  

Secure your passwords, have a good password policy in the OS, and / or use 2 factor
Don't re-use admin passwords.  If an attacker can get mimikatz on your system, or use procdump to get an lsass memory image, then (on XP), you've likely given up most of the passwords on that system.  Even without that, once you get password hashes, anyone who's serious can use GPUs and crack all the local passwords within a few minutes (or a few days if they have to go with brute force).  
Don't store passwords under the keyboard.  In almost every POS engagement, I can lift up the keyboard and have immediate access.  It's to the point that I include that photo in my reports.  Granted, in most stores getting to the keyboard can be a challenge, but if you show up with a laptop bag and say "I'm with IT, Joe (or whoever the IT Director is) sent me", you'd be surprised how much help you'll get from the sales folks.

Keep on top of current POS malware, especially the IOCs for each (the recent backoff malware is a good example).   This week's alert from the US CERT no the new backoff variants is a good read for instance (https://www.us-cert.gov/ncas/alerts/TA14-212A).  The copious amount of discussion on the Target breach (and the associated BlackPOS malware) is another place to look.

Each of these protections in themselves can be circumvented.  But the more you layer on, the better  The harder you make your attacker work to penetrate your environment, the more likely they will target someone else.  Your goal is to make things as difficult for the attacker as possible, to force them to make as much "noise" - ie generate as many alarms- as possible as they work their way in, to give you a chance at blocking them at one point or another

This is just a start at protecting a POS system or netowrk.  This is meant as the start of a disucssion - I'd be very interested to know what else folks are doing to secure their terminals.  Please use our comment form to share your approaches!

==============
Rob VandenBrink, Metafore

Keywords:
8 comment(s)

Comments

Didier Stevens has a USB-blocking utility called ARIAD that may be of interest to defenders.
For my part, the inherent weakness lies in the fact that a PC should never, ever, process a transaction *anymore*.

Most setups require a pin entry device (PED), all of which are under the PCI PTS POI regulations. (Fun stuff to read)

PED's and devices of the likes are more and more produced by manufacturers to enable a direct connection to the payment gateway. This make the card data unknown and unseen to weaker devices like a PC. This is called semi-integrated mode where the PC is connected by serial port to the PED.

But, contrary to integrated mode, semi-integrated allows the PC to simply initiate the transaction with an amount and request an authorization code in return, it might get truncated card data as well, but that is "inoffensive".

And with EMV coming soon, it becomes a cost/benefit situation. Integrating the EMV protocol in a Win32 application seems to me like self root-canal, no sane POS vendor would want that. Especially when PED's integrate those functions directly, and securely!


I tend to consider cardholder data like dangerous material in transportation, with the proverbial diamond signs. Everywhere it goes, there should be isolation and containment, with incident response, procedures. Most of which are found in PCI DSS, but the analogy is gone...
Along these same lines..

The UPS Store, Inc. Notifies Customers Of Potential Data Compromise and Incident Resolution

San Diego, August 20, 2014

The UPS Store, Inc., among many other U.S. retailers, recently received a government bulletin regarding a broad-based malware intrusion not identified by current anti-virus software. Upon receiving the bulletin, The UPS Store retained an IT security firm and conducted a review of its systems and the systems of its franchised center locations. The UPS Store discovered malware identified in the bulletin on systems at 51 locations in 24 states (about 1%) of 4,470 franchised center locations throughout the United States.

Based on the current assessment by The UPS Store and the IT security firm, certain customers' information, who used a credit or debit card at the 51 impacted franchised center locations between January 20, 2014 and August 11, 2014, may have been exposed. For most locations, the period of exposure to this malware began after March 26, 2014. The malware was eliminated as of August 11, 2014 and customers can shop securely at all The UPS Store locations.
Have you seen software restriction policies anywhere?

Since "backoff" (just to name the recent malware sample for POS systems, which AV failed to detect for more than 9 months) installs itself in %APPDATA%, SRP defends against it (and of course it's dropper too).

From <http://www.asd.gov.au/infosec/top35mitigationstrategies.htm>:
"At least 85% of the targeted cyber intrusions that the Australian Signals Directorate (ASD) responds to could be prevented by following the Top 4 mitigation strategies listed in our Strategies to Mitigate Targeted Cyber Intrusions: ..."

NIST and NSA request their use for systems operated in the US administration:
<http://csrc.nist.gov/itsec/SP800-68r1.pdf>
<http://www.nsa.gov/ia/_files/os/win2k/application_whitelisting_using_srp.pdf>

as well as the "Grundschutzhandbuch" of the german BSI:
"4.1.7 Ausführungskontrolle"
Hi, guys may be you could help me with my question.
Recently I have ordered a new equipment from <a href="http://smile-pos.com/nj">Point of sale systems NJ</a> - . The company is really cool. Can you advice some other companies that also provide hardware and software. I think of opening a news tore and want to compare two different systems in work. Sorry if the question was some odd, and didn'
t concern the discussion above...
Hope you will help me -
having said that, owning a Point of Sales solution for a retail business that you are doing will let you to keep track of your sales related information. Rather I would suggest you to visit http://www.ducepos.com
I'm often able to break out of windows kiosk applications from the keyboard by using a hotkey combination that's been missed. For instance, Windows+U calls utilman.exe in XP, if you replace utilman with cmd.exe you are in.

https://www.reliantcreditrepair.com/credit-repair-philadelphia-pa/
But, contrary to integrated mode, semi-integrated allows the PC to simply initiate the transaction with an amount and request an authorization code in return, it might get truncated card data as well, but that is "inoffensive". <a href="https://www.reliantcreditrepair.com/debt-management-plans/">Debt Management Plans </a>

Diary Archives