In a white paper released by Neal Krawetz, founder of the Hacker Factor Solutions, described several relatively easily exploited vulnerabilities in POS technologies. "The vulnerabilities disclosed in this document denote a set of fundamental flaws in the point-of-sale process," Krawetz said. "Even if a solution were available today, it would take years to be fully deployed."
According to Krawetz, a more detailed version of the document was made available to law enforcement agencies, financial institutions, card providers, credit card clearinghouses, point-of-sale manufacturers, large retailers and related businesses a year ago. Though each of the recipients had an option to respond to the issues cited, only one did, he said. "The delay was set for one year. Since there has been no additional discussion and no additional requests for a delay" the paper has been published.
Krawetz did not respond to requests for comment, but his website described the company as a provider of security consultancy services to mid-size and large companies.
Avivah Litan, an analyst with Gartner, said that Krawetz's paper does a good job of summarising issues that have been known about for years, but not addressed by the credit card industry.
"He has brought out some points that people don't usually talk about," Litan said. "Basically, the paper calls attention to the need for standards at the payment level" for point of sale systems and for payment software. The Payment Card Industry (PCI) data security standard mandated by all major credit card companies requires businesses to take several measures for protecting card holder data. But for the moment, at least, PCI standards are not available for POS devices or software, Litan noted.
"The big hole he is calling attention to is the lack of standards at the PCI level for POS terminals," she said.
According to Krawetz, POS terminals that read credit card information, perform card transactions and receive the confirmation code make attractive targets for hackers. That's because POS terminals often store a relatively high volume of easily accessible credit card data, he said. Some systems purge the data automatically when power is turned off or when transactions are tallied at the end of the day, but that doesn't always happen, Krawetz said in his paper.
Some POS devices, for instance, use static RAM chips to store credit card data, so cutting power to the device usually does not clear this memory. Instead, the memory may need to be cleared using specific commands or it may get filled with new data, effectively overwriting old records.
Getting at the data in such static RAM devices usually requires a hacker to gain physical access to the POS devices. But once they have access, getting to the data itself can be can sometimes be a trivial matter, Krawetz said. In his paper, Krawetz used a POS device from a well known vendor as an example and described how to retrieve a complete list of current payers on the POS device, print a batch report of all transactions in memory and generate a duplicate receipt with credit card information using key combinations publicly availability on the vendor's website.