POS Resellers To Clients: You're Just As Vulnerable As The Big Retailers

The massive data breach impacting Target and Neiman Marcus has increased the focus on malware designed to steal data from the memory of point-of-sale systems. But experts who sell the software and computer systems say internal threats, not external hackers, top their clients' biggest concerns.

Neiman Marcus last week warned that more than 1 million credit and debit cards were exposed following a breach of its systems. And on Saturday arts-and-crafts retailer Michaels Stores revealed that it was investigating a potential breach at its locations.

An FBI memo obtained by Reuters reportedly warned executives at retail firms to expect more breaches, following what appears to be a similar technique repeated against merchant systems.

The spyware uncovered by forensics investigators in the attack on Target collects credit and debit card data, storing the information into a Windows file and uploading it to a local computer inside the retailer's network once every seven hours. To appear like routine network traffic, the malware is programmed to only upload the files during typical work hours from 10 a.m. to 5 p.m. A second spyware program uploads files to File Transfer Protocol (FTP) sites controlled by the cybercriminals.

Sponsored post

[Related: Massive Target Breach Puts Spotlight On PCI Complexity]

Despite high-profile breaches stemming from attacks carried out by financially motivated cybercriminals in Russia, Eastern Europe and China, smaller retailers are more worried about theft carried out by their own employees, said Jacob Bilton, sales manager at Value Systems, a Myrtle Beach, S.C., point-of-sale reseller. The company has more than 120 customers, mainly restaurants, cafes and small independent retail stores that have a maximum of three systems that support payment system software, Bilton said.

Cybercriminals target large organizations because there is a greater potential to make money, he said. Independent retailers with a single store and small restaurant and cafe owners believe they don't do enough transactions to make them a target, he said.

"Everyone is now well aware that hackers have found a way around the protections in place and they're repeating the process at other stores," Bilton said. "Hackers go after big-box stores because they are easier targets than to attack a local restaurant or independent store owner."

NEXT: Smaller Retailers, Hotel, Restaurant Franchises Targeted Most

The problem is different at regional restaurant chains, hotels and department stores, where attacks have increased and resulted in more data breaches in recent years, according to separate breach reports issued in 2013 by Trustwave and Verizon. Retail made up the bulk of breaches in Trustwave's report. Both reports show cybercriminals attempting to target smaller regional businesses because they have limited IT staff, resulting in poorly maintained systems and inadequate security processes.

Bilton and other point-of-sale system resellers say they are constantly educating business owners to take Payment Card Industry Data Security Standards seriously.

"It doesn't matter if it's a small business or giant company, hackers try to target everybody," said Gilson Marcos, a master technician at BostonPOS, a point-of-sale system provider. "Even if it's a small coffee shop, they need to think about security or they will suffer with a bad reputation once their customers look at their credit card statements and see unauthorized charges."

Marcos and other resellers say they are busy ripping out outdated systems mainly running Windows XP, which Microsoft is due to retire in April. Clients also are asking for more modern payment systems that support payments on tablets and smartphones, rather than heavy-duty payment terminals, Marcos said.

Marcos said most of BostonPOS' clients are upgraded to more modern point-of-sale software as part of standard support contracts. "The ones who want to upgrade are not necessarily looking for better security, they want to increase the convenience for their customers," he said. "Once they upgrade, the hope is that security improvements come with it."

Smaller point-of-sale system resellers often specialize in system implementation but lack cybersecurity skills, said Kevin Din, CEO of KDNY Systems, a New York-based company that specializes in point-of-sale system sales, video surveillance and merchant services. Increased competition and low-cost systems have made the profit margin on purely reselling new POS systems very low, forcing smaller dealers to find other specialty areas, Din said. A growing part of the business for resellers is providing ongoing IT services, he said.