« 2014 Social Security Blogger Award Voting Is Now Open | Main | Security Bloggers Network Lounge at RSA »

January 28, 2014

Anyone Using POS Is At Risk

posMost of you reading this have heard about the holiday time breaches at national retailers. Since then we have heard that as many as six other leading retailers may also have suffered breaches during the same period under similar circumstances. Word on the street is that these breaches are much more wide spread and just about any POS may be at risk. The culprit is something they are calling BlackPOS.

So if you think POS breaches are something that just large retailers need to worry about think again. It seems like this BlackPOS is some new Trojan/remote control malware that is infecting POS systems, giving criminals the ability to steal your customer’s data every time you swipe their credit card. Worse even, it seems that this malware can give the bad guys the ability to also gain access to your databases where your customer information is kept. This malware has been called BlackPOS in various reports.

From reports I have read and heard from my friends in the security industry it seems the malware behind these attacks was available for sale to the cyber-crime industry at large and cheap too. It was a land grab with everyone trying to get it on as many POS systems as they could. If you think your business would not be a target you are dead wrong. I am not trying to scare you here. But if you use a POS system you should make sure that you test it for malware. Especially if your POS is Windows based.

As a result of this breach I fully expect the industry to move full speed ahead with the Pin and Chip standard that is scheduled to go into effect in the US next year and is already standard in Europe. Where many of these initiatives are often delayed, with this kind of pressure I don’t think the credit card companies have a choice.

Historically fraud has accounted for about five cents out of every 100 dollars spent via credit card. That was realistically speaking not worth the greater effort required to move to a new system. But now I think the genie is out of the bottle.

Of course no guarantee that chip and pin is a panacea. There will be new vectors and methods developed to circumvent those systems as well. But in the meantime you should be planning to move to equipment that supports the new standard. You should also be planning on what it means for your business. If you partner with IBM or others they have the expertise to make your upgrade smooth and quick with minimal disruption. If not put the time and effort in now to plan your migration.

Also now may be a good time to review your breach plans. You should have in place a plan to follow on what to do if you are the victim of a breach. Don’t make it up as you go along in the heat of the moment. Take the time now to plan out what you need to do if indeed you are breached. How you react to the breach could be the difference between being in business after a breach versus not surviving.

Anyone and everyone could be the victims of a breach. No one is immune or under the radar. The way to succeed after a breach is to plan on when not if you are breached what you are going to do. In the meantime check your POS to make sure you are not already a victim.


This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don't necessarily represent IBM's positions, strategies or opinions

Enhanced by Zemanta


TrackBack URL for this entry:

Listed below are links to weblogs that reference Anyone Using POS Is At Risk:


My Photo

Subscribe to my blog

Enter your email address:

Delivered by FeedBurner

Lijit Search

Blog Networks

Creative Commons License
This work is licensed under a Creative Commons Attribution-Share Alike 2.5 License.


Lijit Search

Blog powered by TypePad
Member since 10/2005