SAP POS terminals have been found to have vulnerabilities after multiple incidents occurred because of their security problems.
The AP POS Xpress Server does not perform any authentication checks for functionalities that requires user identity. What this means is that administrative and other managerial functions that should be restricted can actually be accessed without any authentication procedure at all.
This allows anyone to get into the network and change prices or set discounts.
The legitimate software functionality is missing the restricted access, meaning that hackers have easy access and the malicious actions are difficult to detect.
Mark James, ESET IT Security Specialist, explains how this could be potentially damaging and how companies could overcome this.
“Any system that is not patched regularly could be affected by these types of exploits.
“We rely on computers to deal with the mundane or repetitive tasks that go hand-in-hand with the retail industry, so it only takes a seemingly small minor vulnerability to enable someone to take complete control of a system.
“Then coupled with administrative privileges often they could do pretty much whatever they wanted.
“Once inside the network and authenticated you have complete control, that control is exactly the same as the support people who fix it for you or the administrator that sets the rules.
“You can, in theory, do anything you want.
“Obviously, certain things will flag alarms or concerns, but to be honest if you were conservative with your changes or modifications it’s quite possible you could change various options without notice.
“With very sophisticated and powerful computing devices available these days, for a fraction of the cost you would expect, all it takes is a little knowhow.
“Combine those two and you have all you need to find, compromise and take over any systems not patched.
“Quite simply, to defend against this sort of attack: patch, patch and patch!
“When companies find their software is vulnerable they will want to patch it ASAP, as they want it as safe as you do.
“Once vulnerabilities are found they will in most cases be fixed and patched with speed, these patches are then sent out for you to apply.
“Any and all security patches should be applied with speed and precision. In most cases, it’s your only protection against these types of attacks."
Does this kind of vulnerability worry you? Let us know on Twitter @ESETUK.
Join the ESET UK LinkedIn Group and stay up to date with the blog. If you are interested in seeing where ESET has been featured in the news then check out our ‘In the news’ section.