Attivo Networks Blogs

POS Under Attack

By: Carolyn Crandall

It is never a good time to have to report a Point of Sale (POS) breach, but having to do so as holiday spending season commences is especially miserable, as this is a sure way to lose consumers’ trust and confidence in your organization during a potentially lucrative time of year.

As we gear up for our eagerly-anticipated Black Friday and Holiday spending rituals, let us hone in on the pervasiveness of serious security threats at work in the nation’s largest POS systems.

This blog discusses how POS breaches continue to pose an overwhelming threat to retail, hospitality, and business organizations worldwide.

The Attack Surface

POS breaches have become a central component of hackers’ portfolios, as the sensitive information attained through these breaches tend to be of high value. These breaches are primarily responsible for much of the credit card and personal information data loss businesses experience today, yet they remain one of the most challenging to protect due to vulnerabilities within the POS system. POS attacks are up 21% year over year in this sector and are only anticipated to progress, as approximately 328,000 strains of malware come out every single day.[1]

To give an idea of the prevenlence of such attacks, over the past decade, upwards of 1,350 reported breaches have ravaged retail and business organizations worldwide.[2] The most recent was experienced by the mega franchise Forever 21; on November 14 it was announced that payment cards used in some of its stores in recent months have been subject to unauthorized access.[3] Surprisingly, attacks on POS systems are similar to attacks on other areas of the network, however given the mult-faceted complexity of POS and payments systems organizations continue to struggle to lock these systems down.

How it Happens

Over 50% of the time, threats to POS systems are executed through malicious code that steals login credentials, and malware, such as Random-Access Memory (RAM) scraper malware, that infects networks to watch and record specific transactions.

Typically, an organization will employ different kinds of deployment models depending on the number of transactions, the size, the number of interaction points, and infrastructure they are facilitating.

Deployment becomes increasingly more complicated in cases where an organization has multiple locations. These orgnaizations use central asset management servers to deliver and receive data from POS devices, making them a high-value target for attackers who can use them to facilitate broad-scale malware deployments and activations.

According to Verizon’s “2017 Data Breach Investigations Report”, when an establishment becomes aware of an unauthorized intrusion from an external source, it is most frequently through card issuers’ fraud-detection teams, followed by customers and law enforcement.[4] In Forever 21’s case, the invesitagation of the breach was prompted by a report they received from a third party player. Due to the early nature of the investigation, the company is not yet able to provide complete findings on the essential qualities of this attack.

This gives rise to the question, what can mega franchises do to protect and become aware of potential lingering threats to their sensitive data?

Responding to Threats

Most organizations are still constructed primarily around a perimeter defense model, and they have limited visibility into internal network traffic and activity.

Of course, organizations utilizing POS systems take measures to prevent attacks, such as remaining vigilant and working closely with POS system suppliers to observe ongoing threats and prospective weaknesses in their systems. Only very few technologies, however, such as deception technology, can accurately detect the lateral movement of a sophisticated human attacker within an internal network.

The Attivo ThreatDefend Deception Platform offers deception specifically designed for POS applications. The ThreatDefend platform can be used to create many varieties of POS decoys that appear as production POS systems and patch management servers and lure attackers into revealing their presence. The solution combines distributed, high-interaction deception lures and decoys designed to provide early visibility into in-network threats, efficient continuous threat management, and accelerated incident response.

By encountering deception of the utmost authenticity and indistinguishable quality, an attacker is tricked into engaging so that attack information can be gathered, the attack mitigated, and overall security defenses strengthened.

Breaches stemming from attacks on point-of-sale vendors are an ongoing challenge in the retail industry. When you combine skilled adversaries, simple human error, and potential supplier weaknesses, a new paradigm is needed to address the ever-changing threat landscape. Thus, introducing deception into your POS network is essential to simultaneously detecting the presence of an attacker and minimizing mass sensitive data theft.

[1] Attivo Networks, November 2016, Point-of-Sale System Attacks: The Role of Early Detection for Breach Prevention

[2] Attivo Networks, November 2016, Point-of-Sale System Attacks: The Role of Early Detection for Breach Prevention

[3] Forever 21, November 14 2017, Notice of Payment Card Security Incident

[4] Verizon, 2017, 2017 Data Breach Investigations Report Executive Summary

Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free


Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

Newsletter Signup

    Yes, please opt me in to receive your quarterly newsletter, event invitations, and product updates.

    I understand that I can opt out at any time, and can refer to Attivo Networks Privacy Policy for more information.
  • This field is for validation purposes and should be left unchanged.

ADSecure 90-Day Free Trial


  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise


Leave a Comment

Your email address will not be published.

two × one =

Ready to find out what’s lurking in your network?

Scroll to Top