Retailers Do you check your tills ?

dbit · 05-03-2015 10:11am #1

http://www.net-security.org/malware_news.php?id=2977

BoB_BoT · 05-03-2015 1:55pm

I can tell you from working with various clients that no, they don't. What's worse is, they are Windows based tills, no AV, no firewall, have full internet and network access. I've seen back office PC's that the tills report to being used as standard workstations. These PC's have had malware, virus all sorts of crap installed etc..

What would really scare you is, these tills are linked to credit and debit card processing systems.

dbit · 05-03-2015 1:59pm

BoB_BoT wrote: »

I can tell you from working with various clients that no, they don't. What's worse is, they are Windows based tills, no AV, no firewall, have full internet and network access. I've seen back office PC's that the tills report to being used as standard workstations. These PC's have had malware, virus all sorts of crap installed etc..

What would really scare you is, these tills are linked to credit and debit card processing systems.

Bang on , used to work retail trade over 16 yers ago in IT sector , like you i was amazed , the store im on about was national and same setup same issues . Made me laugh alot. they are now out of business .

dbit · 05-03-2015 2:05pm

Compustore.

Blowfish · 05-03-2015 6:44pm

By now, i'd imagine it's at least on the radar of the larger international retailers due to the number of high profile breaches recently. The smaller ones just wouldn't have the resources or awareness to implement proper controls though. I'd imagine the pub trade in particular is likely wide open to abuse as the vast majority would be individual owners rather than chains.

One thing I've noticed is that some pubs leave the touch screen terminals accessible from the front of the bar rather than behind it to make it easier for the waiters. I've been known to poke around with these (after a few

) some are wide open, others I've managed to log into simply by guessing employee id's and passwords.

dbit · 05-03-2015 7:03pm

Observation is not a hard thing to do while in a pub ;-)

BoB_BoT · 05-03-2015 10:07pm

I've seen a couple of new systems in the hospitalities sector, basically all android tablets connecting over wifi, tied into cloud. They'll work fine if the internet is down, but can't sync to each other I'm guessing it's possibly a security issue or just lazy programming.

It seems to be cheaper than running structured cabling and having a backend on site for the pos/tills to connect to. You'd hope the POS is connecting securely to the cloud service, but you never know until you test it.

They do seem to be somewhat tied down, can't install apps etc.. However, they do have browser/internet access. I didn't have the opportunity to poke around much, but would like to get my hands on one to see how exactly it works / communicates to the cloud service. :P

dbit · 06-03-2015 9:24am

I do know that all cetras and supervalues use an old dos based app that dials out to tramore road for EOD sales figures and orders and so on , the tills ccan go weeks without a sync and in those situations they often do. Dos based batch programs sending data to dialup connections in some cases.

The Cheaper than cabling option seems off the wall , nothing should take precedence over the security , cabling is cheap as chips and easy to terminate. It will be using some form of ssl certified account connection if Azure based then from there possibly API calls ot a backend stack. AWS would be the same , VMware VCD or VC nested again also the same. Possibly some vpn tunnels dialled up , retailers can pretty much model this stuff any which way they want with the various cloud offereings out there.

See Freak attacks will be very easy to do with open access browsers on open Wifi lan.

Hotblack Desiato · 07-03-2015 12:14am

Nothing new to see here, Windows tills have been easy pickings for years.

I don't get your point about retailers using wifi, now if they're using no encryption or WEP (same thing really) then they are asking for it, but wired networks in public places are easy to plug dodgy things into, and most will get an IP address no questions asked...

BoB_BoT · 07-03-2015 12:47am

No problem with secure wireless networks, my problem is I've seen some businesses share their wireless passwords with guests....

Hotblack Desiato · 07-03-2015 1:00am

FFS even the cheapest home routers have 'trusted' and 'guest' networks. Cue 'why I don't even' hair-tearing-out graphic.

dbit · 13-03-2015 12:35pm

Hotblack Desiato wrote: »

Nothing new to see here, Windows tills have been easy pickings for years.

I don't get your point about retailers using wifi, now if they're using no encryption or WEP (same thing really) then they are asking for it, but wired networks in public places are easy to plug dodgy things into, and most will get an IP address no questions asked...

Most war drivers can kick over wpa 2 and various others , wifi in my eyes is a no no in any business retail or other wise airmong aircap , airburst can all be used in unison to pown any wifi network provided you have decent dictionaries and grunt for brute force.

dbit · 13-03-2015 4:23pm

Thought i might drop this as any retailer in Ireland would need to be well aware of these risks
http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf

Target lets not forget,.....was well , an easy Target.

Retailers Do you check your tills ?

Comments