Watch out small business owners: There’s a new threat to your point of sale system

August 08, 2014

Hackers are using a new tool to obtain credit card information. Read on to find out how to protect your small business.

Matt Donovan, Underwriting Leader - Tech and Privacy, Hiscox Insurance, shares insight on how business owners can protect themselves from the latest hacking threat.

Small businesses watch out! A new vulnerability for point of sale (POS) machines used by many small businesses to swipe credit cards has popped up.  This comes along just as Target reported that it is still hurting from their data breach last year, with related losses now at nearly $150 million.   The newest tool being used by hackers, Backoff, uses remote desktop access (RDP) to install malware on POS machines and skim card data.  The number of RDP attacks has exploded recently with hundreds of incidents cited by the Secret Service over the past couple months, many of which are still unbeknown to the affected businesses.

Why is this happening and what makes small businesses so vulnerable?

The constant threat of hackings has made retailers smarter and credit card data is now encrypted in almost every part of the transaction.  But, just like a determined burglar will try to  find the one unlocked window to break into your house, hackers have discovered this new vulnerability at the first point of data collection when credit cards are initially swiped.  Most larger retailers have already taken steps to remove the possibility of RDP access to their networks and guard against this threat.  But smaller businesses with skeletal IT teams and unsophisticated networks probably haven’t even heard of RDP access to their POS machines.  That’s why this latest threat is much more hazardous to the moms and pops of the world than Fortune 500 companies.

OK, now I'm scared.  How can a small business protect themselves from this threat? 

Now that this vulnerability has been identified, there are specific steps small business owners can take to make their systems safer.  Fairly simple configurations and security measures can significantly reduce the likelihood of a successful attack.  Further, a good insurance provider can also help them stay on top of the latest threats and respond to data breaches if they happen.

How to help mitigate exposure from RDP hacks:

1)    Configure RDP more securely (2-factor authentication).  The Payment Card Industry’s Data Security Standard (PCI-DSS) section 8.3 calls for 2 factor identification for remote access.

2)     Lockout users for repetitive failed login attempts.  This prevents “brute force” attacks.

3)     Change default listening ports to an unknown port.  Actors on the internet will scan the web for computers listening on the default port.  The point of sale machines running on a different port will not respond to these scans.

4)     Limit computers running RDP (Remote Desktop).  Also limit local admin privileges to restrict employees from installing this (included in Windows).

5)     Disable unused ports and services running on the system.

6)     Disable internet browsing capabilities on point of sale (POS) machines.

7)     POS terminals that encrypt the data while in memory would be the ultimate recommendation to avoid this new family of malware, but this is a more expensive solution for retailers to implement.

The potential prize for hackers from any successful network infiltration is huge – with millions of dollars at stake.  This means that threats will continue to evolve and thrive and small businesses in particular need to do everything they can to stay on top of the latest security options for their systems.

The contents of this article and the linked materials do not offer legal, business  or insurance advice related to the needs of any specific individual business. Hiscox Small Business Insurance is underwritten by Chicago-based Hiscox Insurance Company Inc., which is rated ‘A’ (Excellent) by A.M. Best Company. Additional information can be found on the Why Choose Hiscox? page. Coverages are subject to underwriting and may not be available in all states.