USB thumb drive was plugged into our POS system

25 pts.
Tags:
Security POS system
USB
A USB thumb drive plugged into a retail POS system was used to activate stolen gift cards. Is this possible? If so how did they pull it off?

Answer Wiki

Thanks. We'll let you know when a new response is added.

It’s possible but if we told you how it was done that would be providing information to others on how to do it. They just might try it themselves. It’s basically another form of hacking and that is morally wrong and I won’t provide that type of information for illegal purposes.

Discuss This Question: 10  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • TheRealRaven
    Yes, it's possible. But no one is going to tell you how it's done, most especially in a public Internet forum.
    23,260 pointsBadges:
    report
  • Subhendu Sen
    Who deployed this system, either you people or from external source like from vendor's representatives? Probably this system installed/configured from other source/expert. If yes, did you check the whole things/configurations at the time of deployment? Without knowing more not possible to provide useful replies.
    103,660 pointsBadges:
    report
  • Syngyn
    Thank you everyone for your answers. I understand the reluctance  to giving the instructions. Last thing I want is this happening to more retailers. Here is the situation with better detail: 

    1: The IT manager was socially engineered into believing someone was with the PCI compliance branch of our bank. (No such branch)

    2. This person was given access to a pos terminal we don't use but is active on the network.

    3. He plugged a USB drive (to pentest the system) into the terminal and it caused the monitors to go blank. He then said it was defective and needed to make adjustments and would come back.

    4.  When the end of day came we found a bunch of activated gift cards had  been processed at the same time he plugged in. It all happened so fast. 

    5. After reviewing the video we noticed that there were several cards stolen off the kiosk during the weeks before this happened. I'm sure it's connected to this.

    I just don't see how it's possible without some kind of inside knowledge. Like account numbers etc. I don't want to start accusing anyone without knowing if it's even possible first.
    25 pointsBadges:
    report
  • ToddN2000
    Another option for protection going forward is to disable the USB ports on the terminal if they are not used. It could have been someone just familiar with the process even from another retail establishment that may sell the same gift cards. Another thing is to verify the person looking for access to your system. If I did not call for somebody to work on my system I would call to verify someones identity that just showed up out of the blue, corporate or not.
    99,905 pointsBadges:
    report
  • Kevin Beaver
    This sounds like a calculated and complicated attack. The only way to know for sure how it happened is forensics analysis of the machine. Even then, you might not get all the details. You should consider hiring a forensics expert and, in the meantime, contacting the vendors associated with the gift cards to notify them of the fraud. further locking down the systems with strong endpoint security controls including executable whitelisting, disabling USB ports, etc. would be a good idea.
    25,745 pointsBadges:
    report
  • bhannah
    ToddN2000 and the others have covered this pretty well except for the point that someone allowed someone access to the system without verifying who that person actually was. This was a failure of your security and was something that should not have happened. As an IT Person that worked in both the Banking Industry and the Security side of both of these, I would say that you need to take a look at your security procedures.
    4,090 pointsBadges:
    report
  • Syngyn
    Thank you for the professional advice moving forward. Yes, the gift card vendor has been alerted. The terminal was analyzed and something interesting showed. When the USB drive was plugged into it. It logged as a keyboard being plugged in?? Nothing else is there except the gift card transactions which appeared to be processed in a batch instead of scanned. We are just a small Ma and Pa store. I'm shocked that we would be targeted by something this complicated. To add to the situation the POS software vendor claims it's not possible and has stonewalled any attempt at getting to the bottom of it. Local police are focussing on the IT manager because the vendor is steadfast on it not being possible. I'm not sure what to think. However I have found someone who says it's possible and quite easy. He says that a USB drive with a built in wireless connection makes it possible. I checked and there is such an item on the market. I'm not the most tech savvy person but I don't see why a thumb drive would need a wireless access point built in. I guess I'll never know for sure. Going forward I've followed everyone's advice and put processes in place to make sure it doesn't happen again. Thank you for taking the time to help a dinosaur out.
    25 pointsBadges:
    report
  • ToddN2000
    As technology changes and continues at the rapid pace it's on, there will always be people out there looking for new ways to exploit security and hardware.When we fix an issue and take their lively-hood away they need other means. Unfortunately this is the society we live in. USB ports, to me seem a major risk. The reason being is who looks at their ports everyday? Who is to say your nightly cleaning service may have someone who could do this and may have access to the computers of upper level managers. They could have key loggers, malware or other malicious applications on them.
    99,905 pointsBadges:
    report
  • bhannah
    ToddN2000's thoughts are very valid. It is something that I have seen time and time again. One thing that should set on every one of your systems is that you AV / Antimalare should be set to scan upon insertion of any USB device. Sadly people will disable this feature on systems or never activate it. I have seen Malware and Viruses inserted into brand new software packages that are still in the shrink wrapped boxes, and I have also in come through as an embedded part of an update for installed software on people's system.
    4,090 pointsBadges:
    report
  • Subhendu Sen
    Is your system's antivirus software updated with latest one? Is it works properly? Have you ever checked all that things? Is it possible to run this mechanism in safe mode?
    103,660 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.

Following

Share this item with your network: