A malware researcher at HP has revealed quite incidentally a surprising reality on how companies, specifically in the hospitality industry, handle point-of-sale terminals with such weak security treatment even as it is fast becoming the norm for quick payments.
According to the revelation, the Aloha point-of-sale terminal was sold on eBay for $200 and the device still contains data about its previous user, a company involved in the hospitality industry. The terminal has passwords, an un-patched vulnerability, and a used database with names, addresses, Social Security numbers and phone numbers of users that had gained access to the system previously.
Aside from well-meaning buyers, the terminal could have been sold to attackers, who are more than willing to pay hundreds of dollars just for the gamble of finding something in the system that they can turn into profit.
The main problem highlighted by this discovery is the lack of seriousness of the hospitality industry in securing the critical payment method for their company and customers alike, which can only be done by updating their POS terminals. This is obvious as many companies in the hospitality sector still use old systems of POS for their transaction that often lead to data breaches such as what happened to Target recently.
Considering the large number of POS terminals currently in use among industries, not just the hospitality sector, it is unknown how large the volume of vulnerabilities that could be potentially found in those systems. The only thing that is for sure is that their count is great.
Most small businesses also fail to comply with the payment card industry’s standards for data security, which again requires that companies upgrade and modernize their POS systems. This requirement is strictly being implemented by Visa and MasterCard.
Other businesses, in an effort to save costs for expensive POS terminals, turn to eBay to purchase relatively cheaper systems. But the risks posed by second-hand POS terminals, such as the potential that a malware may have been injected into the product or a vulnerability has not been fixed, could not be over-emphasized.
As a matter of security, POS terminals ought to be isolated from the Internet landscape, where all sorts of insecurities and attacks abound. But other companies in the hospitality industry are found to even link the system to public networks, exposing it to malicious attackers who could have the chance to exploit the system to their disadvantage.
Especially alarming is that these terminals run on Windows XP, which no longer receives support for update and security from Microsoft.