Make Your Point of Sale System a Point of Security
As the biggest season in retail winds down, Forever 21 was the latest retail target of a point of sale cyber attack, joining the likes of Chipotle and Game Stop.
The article discusses a point-of-sale (POS) malware breach at Forever 21 that exposed payment card track data between April and November 2017, illustrating how extended undetected intrusions can damage customer identities, brand reputation, and business operations. It highlights how modern retail expands attack surface through diverse payment methods and IoT-connected POS devices that communicated with unauthorized external services, enabling attackers to harvest data. The piece advocates using DNS-based controls and visibility—such as DNS logging and policy enforcement—to limit POS device communications, detect malicious activity earlier, and reduce the likelihood and impact of data exfiltration.
What happened in the Forever 21 POS breach and how long did it last?
The Forever 21 incident involved unauthorized network access and installation of malware on some POS devices that searched for payment card track data as it was routed through the devices. The breach occurred between April 3 and November 18, 2017, with some stores compromised for the entire seven months and others for only days or several weeks. In most instances the malware found track data without cardholder names, and stores maintained logs of completed payment card transaction authorizations.
Why are POS and IoT devices particularly vulnerable to attacks like this?
POS and IoT devices expand a retailer’s attack surface because they often communicate with multiple services beyond their intended scope, creating opportunities for adversaries to gain network access and install malware to harvest data. These devices may be insufficiently isolated or monitored, allowing malicious communications to go unnoticed for extended periods. The article emphasizes that protecting IoT/POS devices and restricting them to only required internal or external services is critical to preventing data capture and exfiltration.
How can DNS-based controls help prevent or mitigate POS data breaches?
DNS can serve as a foundational layer for detecting and preventing malicious activity because it offers visibility into device communications and the ability to enforce policies. By monitoring DNS logs, teams can spot suspicious queries and connections from POS devices to unauthorized services, and policy enforcement can restrict devices so they only communicate with intended services. The article notes that DNS Edge, for example, can provide DNS log visibility and enforce policies to stop POS IoT devices from contacting unauthorized endpoints or exfiltrating customer data, enabling action before widespread damage occurs.
As the biggest season in retail winds down, Forever 21 was the latest retail target of a point of sale cyber attack, joining the likes of Chipotle and Game Stop. It was recently announced that they suffered a POS security breach between April 3 and November 18, 2017, and while some stores suffered breaches lasting the entire seven months, others were breached “for only a few days or several weeks.” Whether a breach is discovered within a few days or not for several months, it does little to soothe the pain. When sensitive customer information is stolen, the damage can spread wide to include not only compromised customer identities but a brand’s reputation, potential legal implications and even a hit to stock prices.
“The investigation found signs of unauthorized network access and installation of malware on some POS devices designed to search for payment card data. The malware searched only for track data read from a payment card as it was being routed through the POS device.”
With more ways to pay at retail outlets, both in-store and online, corporations increase their attack surface area, undeniably opening themselves up to greater risks with their point of sale systems. While companies have technologies in place to foil hackers, we do not live in a perfect world. “In most instances, the malware only found track data that did not have cardholder name. Additionally, stores have a device that keeps a log of completed payment card transaction authorizations.” However, by leveraging DNS to bolster your security stack, breaches become less likely and less severe, all while giving you the visibility and control that other tools do not.
DNS: The Key to Point of Sale Security
Upon looking at these point of sale breaches, there are a few things every company can learn as they look to improve their cyber security measures. DNS is the foundation of any network, including POS systems, so it can offer clues, hints and be an invaluable tool in detecting malicious network activity.
However what’s important here is the protecting your POS system. In this case, the importance of securing your IoT devices cannot be overstated. Here, the point of sale devices were communicating with “services” outside the scope of those they were explicitly intended to connect with.
Malicious adversaries harvested and captured this sensitive data and Forever 21’s cyber security measures weren’t able to stop it (or detect it) until it was too late. However, there is a solution, and it is possible to keep your IoT devices from communicating with devices or services they shouldn’t be while also preventing them from sending that information out.
DNS Edge, for example, can provide visibility into DNS log data and enforce policies to ensure:
- POS IoT devices and services are only able to communicate externally or internally to the services they need.
- POS IoT devices are not exfiltrating customer data to these malicious adversaries.
No one wants to be in damage control mode. By securing your POS system and monitoring DNS, you’ll be able to take action before it’s too late.