POS Penetration Testing

POS Is an important system that manages sales transactions in businesses. Although it may seem complex at first glance, it is actually quite simple.

Now, let’s explain in more detail what POS is and how it works. POS is an abbreviation derived from the initials of the word “Point of Sale.”

EHA

This system facilitates and records sales transactions between customers and sellers. A POS system comprises both hardware and software components.

Hardware Components: A POS system typically includes hardware components such as a computer or tablet, barcode scanner, cash drawer, printer, and display.

These devices are used to carry out transactions and provide customers with receipts or invoices.

Software Components: POS software is used to manage transactions, track inventory, process payments, and generate reports.

This software allows customers to create their shopping carts, make payments, and receive receipts.

Table of Contents

How Does POS Transaction Work?
How do I conduct a point-of-sale (POS) Device Security Test ?
POS TCP Terminal and TCP Application Configuration Example

How Does POS Transaction Work?

Step A : The Customer Uses the Card The customer initiates the payment process by inserting their card into the POS device and entering their confidential PIN code.

Step B : POS Device Initiates the Transaction The POS device initiates the transaction by securely transmitting card details and the PIN code, encrypted, to the ATM Switch server. Network Access Control (NAC) ensures secure access.

Step C : Card Verification If the card belongs to the same bank, the ATM key verifies the PIN using the Hardware Security Module (HSM) server. After successful verification, the transaction request is forwarded to the CBS server.

Step D : Different Bank Scenario If the card belongs to a different bank, the transaction is routed to the NFS server. The NFS server forwards the transaction to the HSM server of the other bank for PIN verification.

After successful verification, the transaction is sent to the CBS server.

Step E : Account Verification and Fund Transfer The CBS server checks the balance in the cardholder’s account and deducts the purchase amount. The deducted amount is transferred to the seller’s account.

Step F : Transaction Completion When the transaction is successfully completed, the CBS server generates a response. The ATM key encrypts and sends this response back to the POS device. The transaction is complete.

How do I conduct a point-of-sale (POS) Device Security Test ?

A. OS Secure Configuration Review:

This step involves ensuring that the POS device is correctly configured and has appropriate security settings.

This may include checking if the device is running up-to-date software and firmware versions, changing default passwords, disabling unnecessary network connections, and reviewing firewall settings.

POS devices typically come with default configurations, and it is necessary to change these default settings before deploying them in a production environment.

Default configurations may encompass device access management, encryption methods, and default settings for services such as FTP and SSH.

When conducting a security review of a POS device’s configuration, it is crucial to carefully examine all default configuration settings and other essential parameters to ensure that they are properly configured.

For instance, the following example highlights the default administrator password, which may vary depending on the device’s brand and model:

“A critical step for the security of POS devices is to modify default configurations. These default settings can pose a potential risk to the device’s security.

For example, critical settings like the administrator password can make it easier for malicious actors to gain access to the device.

Therefore, reviewing all default settings and using strong passwords is essential for a secure configuration.”

a. Physical Security Assessment: In this section, various components such as USB ports, LAN ports, NFC card readers, and more are often found on a POS device.

It is essential to safeguard the POS device in such a way that unauthorized access to these areas is prevented. If unauthorized access is possible, malicious actors may attach flash drives, including those resembling BAD USB, which can enable remote access to the POS device’s terminal.

To mitigate such attacks, both physical and USB port security must be ensured for POS devices.

b. POS Skimming: Another form of physical attack is POS skimming, where a device is secretly placed on the card-swiping mechanism to steal card information from magnetic strips.

Therefore, regular inspection of the POS device’s card-swiping mechanism is crucial. In this context, a penetration tester can use a portable skimming method to place a skimmer device on POS devices within an organization, potentially capturing card details, PIN numbers, and various other data.

This serves as a significant test within the realm of physical security layers.

c. Manipulation of the PIN Keypad: Attackers may manipulate the PIN Keypad to capture customer card PINs. They can use a fake overlay resembling a real POS device’s keypad to carry out such attacks.

Therefore, it is essential to periodically review the POS device’s keypad and check for the presence of key-logging devices. This is critical for ensuring the security of customer card data and protection against fraudulent activities.

d. POS Network Connection: A critical aspect of our assessment involves examining the POS device’s network connection. The POS network must remain isolated, ensuring that no other users can connect to the same Wi-Fi or LAN network.

We will conduct a local network penetration test to verify the security of the POS network. Our objective here is to assess the network’s resilience to unauthorized access and potential intrusions.

We will identify any vulnerabilities that may expose the POS system to external threats and provide recommendations for remediation.

e. Default Credentials on the Device: As part of our assessment, we will investigate the use of default credentials on the POS device, particularly concerning hardware management.

Default usernames and passwords are common targets for attackers. We will scrutinize the device to identify instances where default credentials are used.

Our goal is to ensure proper authentication mechanisms are employed for device management and eliminate potential security risks associated with default login credentials.

f. Encryption: The transmission of data over Wi-Fi or LAN channels is a critical aspect of POS device security. To verify the security of data in transit, we will examine the encryption settings on the POS device.

It is essential to ensure that encryption is both active and properly configured to protect sensitive data during transmission.

Our assessment will focus on evaluating the strength of encryption protocols in use and identifying any weaknesses that could potentially compromise data security.

g. Insecure Data Storage: The device can store data on the memory card or within itself. We check whether configuration files are encrypted for the security of this data. If the data is not encrypted, the security of sensitive information may be at risk.

h. Clear Text Services: We check for clear text services enabled on the device, such as FTP, which downloads device firmware from the server for firmware upgrades. Disabling clear text services on the device is essential.

i. Logs: We examine the logs of the device. Logs are crucial for detecting and monitoring potential security breaches.

j. Missing Patches: Missing updates address vulnerabilities that could allow unauthenticated remote code execution, privilege escalation, denial of service, and confidential information disclosure. We check for the latest updates.

k. Unauthorized Exposure of Sensitive Data Without Authentication: The POS device can print reports containing sensitive information such as device details and transaction details. We attempted to access this feature without authentication.

l. Device Update Settings: We check the device’s settings and verify the latest updates.

m. Password Policy: We review the password policy applied to the device and assess its compliance with best practices that promote the use of strong passwords.

n. POS Device Ports: We inspect all peripheral ports (Ethernet, telephone, RS-232, and USB ports) to ensure that unused ports are disabled.

B. Application Testing

Application testing is a critical phase in the security of POS devices because the SoftPay application performs essential functions such as online and offline sales, refunds, and other payment transactions.

During this stage, it is important to identify and address security vulnerabilities that may exist at the application and logical levels.

a. Clear Text Traffic Analysis : First, we connect our laptop to the POS network segment and ensure that the laptop’s IP address matches the POS device’s gateway address.

Then, we edit the POS device’s gateway address settings, initiate a clean text traffic request, and use tools like Wireshark on our laptop to capture the traffic.

b. Refund Attempt : Secondly, we attempt to refund an amount greater than the purchase amount. This helps us test whether the application securely handles refund transactions.

c. Privilege Escalation Test : The application has different privilege levels such as Clerk, Manager, and Superuser. We simulate a privilege escalation attack by using a Clerk account to try to access Manager- level functions or data.

d. PIN Verification Check : We attempt an invalid PIN during a product purchase to check if PIN verification is properly enforced during transactions.

e. Data Manipulation Attempt : We attempt to manipulate data by disrupting or altering traffic flow. This helps us observe how vulnerable applications handle data.

f. Sensitive Information Disclosure Assessment : The POS device generates transaction receipts when a product or service is successfully paid for.

It is imperative to scrutinize these generated transaction receipts for the presence of sensitive data, such as account numbers and card details.

The crucial aspect is ensuring that any card information within the transaction receipt is effectively masked to protect customer data.

g. POS Transaction without PIN : As part of our assessment, we aim to conduct a test transaction within the POS system without the necessity of a PIN code.

This procedure enables us to examine how the POS device handles transactions without PIN authentication, shedding light on potential security vulnerabilities.

h. Offline Sale Attempt without Authorization Code : Our testing strategy includes an attempt to execute an offline sale transaction without the presence of an authorization code or by using an incorrect one.

This specific test scenario allows us to evaluate the POS system’s resilience and security measures concerning offline transactions in the absence of the necessary authorization codes.

C. Vulnerability Assessment and Penetration Testing

a. POS Device Network Security : The connection of PO devices to the bank’s isolated backend server is of critical importance to assess network-level security vulnerabilities.

Such tests are conducted to evaluate the security of the POS device’s network connection and identify potential risks.

b. Network Connection Check : To begin with, we obtain the IP details of the POS device and connect our laptop to the POS network. This allows us to simulate access to the network.

Subsequently, we scrutinize the network connection. Tip: This process provides us with an opportunity to examine the POS device’s operating system.

c. Identification of Open Ports : Using tools like Nmap, it is crucial to scan for open TCP and UDP ports on the POS device. This helps us determine which services are running and which ports are exposed to the external world.

We search for potential security vulnerabilities within these services.

POS TCP Terminal and TCP Application Configuration Example

d. Vulnerability Scanning : To pinpoint security vulnerabilities on the POS device more comprehensively, we utilize security vulnerability scanning tools like Nessus.

This scan covers a wide range, starting from the operating system version and extending to potential security vulnerabilities within services such as FTP and SNMP.

It’s worth noting that automated processes might overlook certain vulnerabilities, so manual effort is essential to detect and exploit vulnerabilities, particularly those related to logic flaws, insecure designs, and other non-automated vulnerabilities.

e. Examination of Services : POS devices typically run a limited number of services. The examination of these services encompasses;

  • Operating System Version : We attempt to identify the operating system version and inspect it for security vulnerabilities.
  • FTP Service : The FTP service is used for downloading updates and uploading device files. We scrutinize this service for security vulnerabilities.
  • SNMP Service : SNMP service is employed for centralized management of the POS device. We assess SNMP for security vulnerabilities.
  • Management Portal : We verify access to the management portal. Additionally, we installed the POS SDK API on our laptop, which is used to customize the POS application. We attempt to access the POS device through a USB connection.
  • POS Application : We check the version of the POS application and investigate security vulnerabilities associated with this version. Security testing for PoS devices holds critical importance for businesses and financial institutions.

These tests are necessary to safeguard both operational and customer data, ensure the security of financial transactions, and prevent potential security vulnerabilities.

Security tests conducted assess the network security, physical security, application security, and more aspects of PoS devices.

These tests aid in detecting potential threats and provide an opportunity for early intervention. Furthermore, regular security testing helps enhance security measures to defend against current threats and attack methods.

I would be delighted to assist you with penetration testing to achieve PCI DSS compliance and enhance the security of your business.

By identifying unseen threats, I can help you better protect sensitive data such as payment card information and customer details.

By bolstering your business’s security, we can create a stronger defense against cyberattacks. I can aid you in gaining customer trust and ensuring compliance with regulations.

Feel free to contact us today to learn more and discover how I can help maximize your business’s security. Remember, I’m here to uncover what may not be immediately visible.

Also Read:

  1. Retesting: A Re-Pentesting Towards More Secure Products For Red & Blue Teamers
  2. 10 Best Penetration Testing Phases & Lifecycle – A Pentesters Guide 2023
  3. PentestGPT – A ChatGPT Empowered Automated Penetration Testing Tool
  4. ChatGPT For Penetration Testing – An Effective Reconnaissance Phase of Pentest
  5. 50 World’s Best Penetration Testing Companies – 2023
Alperen Ugurlu
http://cybersecuritynews.com/
Alperen Ugurlu is Security Researcher, Red Team Operator, Lead Product Manager at ThreatMon. Also a regular Contributor with Cyber Security News to share his skill with world's largest InfoSec community.