Recently, both Visa® and Discover® sent out security alerts about retail data security breaches that indicated unauthorized access of merchant point of sale (POS) environments and ultimately to access payment card data.
Below are the examples of common remote access vulnerabilities - several of which were indicated by both Visa and Discover as being the cause, or a contributing cause, to the recent POS data breaches - as well as recommendations to address these vulnerabilities.
Remote access ports and services always available on the internet.
An intruder can easily perform a port scan against a merchant’s IP address space and identify potential access points. Remote access applications (e.g. LogMeIn®, PCAnywhere®, VNC®) – commonly used to support retailers – often run on predictable, well-known ports.
Recommendations: Ensure firewalls are in place and only allow remote access from known IP addresses; contact your support team or point of sale provider and verify that a unique username and password exists for each of your remote management applications; use the latest version of remote management applications and ensure that the latest security patches are applied prior to development.
Outdated or un-patched applications and systems.
Older applications and operating systems (e.g. Windows XP®) are susceptible to attack and easily exploited.
Recommendation: Merchants should migrate away from outdated applications and operating systems as soon as possible.
Use of default, weak or common passwords, or not using a password at all.
The Discover alert stated that, “The results of recent forensic investigations revealed that the use of default/weak passwords with lack of two factor authentication in conjunction with remote access are significant contributing factors in these data breaches.”
Recommendations: Do not use default or easily guessed passwords; always use two-factor authentication for remote access. Two factor authentication can be something you have (a device) or something you know (a password).
View the Visa Security Alert or the Discover Data Security Alert.