Aloha point-of-sale terminal, sold on eBay, yields security surprises
HP researcher's findings highlight ongoing problems with POS software and hardware
IDG News Service - Matt Oh, a senior malware researcher with HP, recently bought a single Aloha point-of-sale terminal -- a brand of computerized cash register widely used in the hospitality industry -- on eBay for $200.
Oh found an eye-opening mix of default passwords, at least one security flaw and a leftover database containing the names, addresses, Social Security numbers and phone numbers of employees who had access to the system.
His findings have received a fair amount of attention due to the role of such systems in high-profile data breaches at retailers including Target, Neiman Marcus and Michaels.
"What we found was that the overall state of security of the system was very poor," he wrote in a blog post describing his analysis.
Even second-hand POS systems aren't cheap, so it's unlikely that cybercriminals would spend hundreds of dollars on a chance that a few contain personal data.
But Oh's research illustrates the security issues facing the hospitality industry, beset by outdated POS systems which it sometimes cannot afford to update.
Oh answered questions about his findings with IDG News Service via email because he has not finished media training required by HP.
He wrote companies don't appear to be paying enough attention to security issues with their POS terminals, and older systems are often still in use, which may not be as secure, he wrote. Unknown software vulnerabilities also pose a risk.
"There are a lot of POS terminals out there, and we don't know how many of them are vulnerable to simple attacks," he wrote by email.
The Aloha POS system is sold by NCR, which came under its wing with its acquisition of Radiant Systems in July 2011 for $1.2 billion. It is one of the most popular systems in the hospitality industry behind those of Micros Systems, which Oracle bought last month for $5.3 billion.
POS systems may seem like glorified electronic cash registers but they're actually closer to ERP systems, tracking inventory, logging employee actions and handling other management functions, said Joseph Snell, CEO of Viableware, a Kirkland, Washington, company.
Snell has had a lot of conversations with companies about POS systems. His company sells a product called Rail Pay that is designed to speed up settling a bill at a restaurant, which integrates with POS systems.
Some smaller businesses he's seen could not be compliant with the Payment Card Industry's Data Security Standard (PCI-DSS) without upgrading their systems, Snell said. PCI-DSS is a set of security recommendations mandated by Visa and MasterCard for businesses processing payment cards.
The restaurant business is low-margin and highly competitive, which impacts spending on technology such as POS systems. "You can freely spend yourself out of business," Snell said.
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- 2013 Cyber Risk Report The "Cyber risk report 2013 Executive summary" presents the major findings of HP Security Research's comprehensive dive into today's cyber vulnerability and threat...
- Cybersecurity for Dummies eBook This book provides an in-depth examination of real-world attacks and APTs, the shortcomings of legacy security solutions, the capabilities of next-generation firewalls, and...
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different.... All Cybercrime and Hacking White Papers | Webcasts