The cybersecurity firm ERPScan researchers have conducted a study in which they found that SAP’s point-of-sale (POS) systems lack authentication mechanisms and internal commands.
The absence of these paves the way for any person to enter into the store’s checkout system without restriction. The access is further made easier with the availability of ethernet-connected machines and devices around the store. The plug-and-play attack is the most common in this case.
How is the attack executed?
Hackers appear to have found a haven of roses here. The SAP Xpress server is simply fed with a new configuration file that takes control of the checkout machines, providing administrative permissions.
With this kind of unrestricted access, the malicious hackers are able to set discounts, adjust discounts or any other malicious intent on the system. For instance, they are able to remotely expose credit card numbers and shut down the checkout system.
ERPScan chief technology officer, Alexander Polyakov, explains that “hackers get the ability to do anything of their liking including giving special offers, changing prices and stealing credit card numbers.”
Even though the researchers admit that the $1 price to purchase a MacBook is exaggerated, it’s possible for cashiers to overlook discounted items.
Dmitry Chastuhin is among the experts who unmasked these vulnerabilities. He says that since all POS systems have similar infrastructures, these loopholes could be common to all.
“It’s unbelievable that we are so insecure by just swiping cards… the level of control they assume can’t be downplayed” said Chastuhin.
Hackers have of late targeted POS systems with the intention of committing fraud and stealing customer data.
Despite most of these systems being based on proprietary software, the majority of them run on the Windows operating system. Immediately the POS systems are connected to the Internet and considering the fact that they are rarely updated, the risks to malware are enormous.
Among the most talked about data breaches, including Target’s, were executed by making POS systems the primary targets. In 2014, hackers were able to siphon data from 70 million customers on Target’s systems. All they did was install an off-the-shelf malware. Many other top ranking outlets have also fallen victims of these attacks.
Oracle revealed last year that it was investigating the possibility of its Micros POS systems having been breached. This is a revelation that raised eyebrows considering the division is actually one of the biggest POS makers in the world, servicing over 330,000 sites in 180 countries.
Red Payments estimate that retailers and customers lose billions to POS attacks on a yearly basis. However, these attacks on POS systems have been found to be declining.