mailing list archives
Windows XP support cutoff poses data breach risk for retailer
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Tue, 4 Feb 2014 19:01:21 -0700
Retailers will face an increased risk of data breaches after Microsoft ends
support for Windows XP, a version of which powers the majority of modern
cash registers, security vendor Symantec warned in a report published
Many point-of-sale (POS) devices run the Windows XP version of Windows
Embedded, a scaled-down version of the operating system designed for
devices such as set-top boxes and vehicle computers. Microsoft will no
longer provide security patches for Windows XP as of April 8, when it ends
support for the 13-year-old OS.
"This event will certainly place POS operators under increased risk of a
successful attack, and POS operators should already have mitigation plans
in place to meet this coming deadline," Symantec's 12-page report said.
Cybercriminals installed malware on the systems of Target and Neiman
Marcus, which collected unencrypted payment card details after a customer's
card was swiped. In December, Target said 40 million payment card records
were compromised plus 70 million other records, making it one of the
largest reported data breaches on record.
Neiman Marcus said up to 1.1 million cards were compromised between July
and October 2013 but opted to notify all customers who have shopped at its
stores since January 2013.
RSA, the security division of enterprise software vendor EMC, said on
Thursday it found 119 POS terminals belonging to 45 retailers, 32 of which
are based in the U.S., may be infected with malicious software.
Since the POS terminals run Windows, it's easy for hackers to repurpose
other Windows malware to suite their needs, Symantec wrote.
"This means that attackers do not need specialized skills in order to
target POS systems," it wrote.
Security experts theorize that POS hackers are either attacking the
terminals directly from the Internet or are finding another way into
company networks by exploiting other software vulnerabilities.
Companies handling payment card data are required by Visa and MasterCard to
follow industry security practices, known as the Payment Card Industry
(PCI) Data Security Standard (DSS). Those standards recommend but do not
require retailers to isolate networks that handle card data, termed the
cardholder data environment (CDE), Symantec wrote.
POS systems must be accessible for software updates, the export of business
data such as purchase orders and inventory, and to connect with external
payment processors, the report said.
"While a strictly controlled and completely isolated POS system network
would be quite secure, it is too impractical for serious consideration," it
Orla Cox, senior manager of Symantec's Security Intelligence Delivery,
wrote on the company's blog that card theft attacks are likely to continue
because "stolen card data has a limited shelf life."
"Credit card companies are quick to spot anomalous spending patterns, as
are observant card owners," she wrote. "This means that criminals need a
steady supply of 'fresh' card numbers."
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
sales () riskbasedsecurity com
Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus
on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
- Windows XP support cutoff poses data breach risk for retailer Audrey McNeil (Feb 07)