Michael McKinnon, Security Advisor for AVG, shares his tips for staying secure in retail and POS environments, so retailers can protect themselves from cybercrime.
2. What are we looking at today?
AVG.COM.AU AVG.CO.NZ
3. Quick Overview
1.The Problem
2.Attack Vectors
3.Types of Attacks
4.Solutions
AVG.COM.AU AVG.CO.NZ
4. The Problem
Unlike shoplifters, cybercriminals set up camp and stay
there, stealing from retailers for extended periods of time.
5. PC based POS systems
• They are cheap, efficient and can be used for multiple
purposes
• However, the PC has become the POS security
“battleground”
+ +
AVG.COM.AU AVG.CO.NZ
6. Data breaches are still too easy!
Source: Verizon Data Breach Investigations Report 2012
AVG.COM.AU AVG.CO.NZ
7. Offline retail is the biggest cybercrime target
Australian Retail Spend
Offline Retail Online Retail
4%
96%
Source: NAB Online Retails Sales Index – July 2012
AVG.COM.AU AVG.CO.NZ
8. Infiltration of POS transaction data
There are lots of examples in the news…
Source: www.cio.com.au/article/436663/two_romanians_plead_guilty_point-of-sale_hacking/
AVG.COM.AU AVG.CO.NZ
10. #1. Default passwords
The user manual says:
“Step 1. Change the default password”
BUT, it is far too common that these are not changed, or they’re
changed to someone else’s “default” password (which is widely
known)
AVG.COM.AU AVG.CO.NZ
11. Which password is the most secure?
1. E56#av+Yb!
2. Password123
3. aaaaaAAAAA#####43
4. 123456
5. lucasjames
AVG.COM.AU AVG.CO.NZ
12. Answer: aaaaaAAAAA#####43
But why?
• 17 characters in length
• Contains upper and lowercase letters
• Contains numbers
• Contains a symbol
• There are 37 thousand billion billion billion possible
combinations!
Learn other tips to creating a secure password here.
AVG.COM.AU AVG.CO.NZ
13. #2. Remote desktop access
• Convenient and very common for providing remote support
• But, often poorly implemented with weak passwords
AVG.COM.AU AVG.CO.NZ
14. #3. Insecure wireless networks
• Wireless networks are convenient in retail environments, however
when they’re poorly configured, they represent a huge security
risk
• Data packets can be “sniffed” by nearby attackers
AVG.COM.AU AVG.CO.NZ
15. #4. Phishing, spear phishing & whaling
• Phishing is the sending of specially crafted emails to trick users
into divulging sensitive information. For example:
“Click here to see the details of your order” –> (login page)
• Handling email in a retail setting can be very dangerous!
AVG.COM.AU AVG.CO.NZ
16. #5. Social engineering
• Social engineering means that gaining access to someone’s
computer only needs to be as hard as gaining their trust!
• What do you give for a 10th wedding anniversary…?
“I could have got her to click on anything I wanted!”
• It’s about customer service vs customer honesty
AVG.COM.AU AVG.CO.NZ
17. #6. Physical disclosure
• Modern retail layouts often remove the traditional
counter, exposing equipment to theft or tampering
• Disclosure of the makes and models, or other identifying
labels, can also compromise retailers
• Physical loss is no.1 risk for secure mobile devices
AVG.COM.AU AVG.CO.NZ
18. Types of Attack
Malware and hacking are the most common attack methods used
by cybercriminals.
19. Common types of attack
Source: Verizon Data Breach Investigations Report 2012
AVG.COM.AU AVG.CO.NZ
20. Malware & Trojans
• Common varieties that cause general havoc include
Fake Antivirus & ransomware
• Retail / POS specific – “RAM scrapers” (designed to
exflitrate transaction data)
• Remote control Trojan or Rootkit (designed to remain
hidden for future access)
AVG.COM.AU AVG.CO.NZ
21. Hacking
• When combined with custom written malware, hacking is highly-
targeted and designed to avoid detection and remain in place for a
long time
• In 2011, Verizon reported that 81% of incidents utilised some
form of hacking
AVG.COM.AU AVG.CO.NZ
22. Solutions
You may be surprised that security solutions are often simple and
inexpensive.
23. The solutions are NOT expensive
Source: Verizon Data Breach Investigations Report 2012
AVG.COM.AU AVG.CO.NZ
24. Tips & suggestions
1. Use strong passwords and change the default ones
2. Secure remote access with strong authentication
3. All wireless networks should use “WPA” or “WPA2”
4. Avoid spam email – use an Anti-Spam solution
5. Increase staff awareness of social engineering
tactics
6. Use endpoint protection on every device
(antivirus and anti-malware) – AVG is a good choice!
AVG.COM.AU AVG.CO.NZ
25. Follow the money
• Cybercriminals tend to “follow the money”
• This means the types of attack are often predictable:
• Credit card data
• Private customer information
• Refund / returns policy
• Bank accounts
• Financial processes
AVG.COM.AU AVG.CO.NZ
26. Talk to your IT provider & stay in the loop!
• Ask them: “How are you keeping us secure?”
• Sign up to vendor notification / update lists
• Every six months, do a proper review of security
AVG.COM.AU AVG.CO.NZ
27. Thank you!
For even more information on retail security, visit:
avg.com.au/POS
facebook.com/avgaunz
avg.com.au
avg.co.nz
twitter.com/avgaunz
AVG.COM.AU AVG.CO.NZ