A week in the news: sale terminals at risk

Bitly was compromised this week and is urging users to change passwords. Point-of-sale systems are poorly secured. And fixes from Microsoft on Patch Tuesday.

A new study reveals that point-of-sale terminals are poorly secured and facing ever-sophisticated threats, the second Tuesday of the month means security fixes from all of your favourite software vendors, and the popular link shortening service Bitly admits to being compromised by unknown attackers.


Point-of-sale – or PoS – is just a fancy name for a cash register. Of course, we aren’t talking about old-timey, bell ringing cash registers. We’re talking about connected, electronic sale terminals that store and pass along payment information. A PoS system of one kind or another is present in nearly every retail location or restaurant that accepts debit or credit cards. Unfortunately, a new report finds that these systems, on which many of us very regularly conduct financial transactions, are facing an increasingly complex array of attacks. Worse yet, most of them do not offer much in the way of security protections.

This reality really isn’t all that surprising, given that a compromised PoS terminal could potentially yield all pertinent payment information about any credit or debit card processed in a transaction on that machine.

Bitly was compromised this week and is urging users to change passwords. Point-of-sale systems are poorly secured. And fixes from Microsoft on Patch Tuesday.

A recent Arbor Networks report named at least five separate pieces of malware designed exclusively for the purpose of attacking PoS systems. Furthermore, the Verizon data breach investigation report noted there were 198 distinct PoS intrusions in 2013. Also, in case you were wondering, recent attacks on Target, Nieman Marcus, Michael’s and other retailers were all PoS attacks and all spilt substantial consumer data.

What can you do about it? Well, you could burn all your credit and debit cards and conduct only cash transactions until this whole “Internet” thing blows over. That’s pretty extreme, though. Your best course of action is to pay attention to the news and act fast when you hear about a breach at a company you’ve patronised. You’ll want to check your credit or debit card balances to make sure nothing is amiss and also contact your bank to cancel any potentially exposed cards and replace them with new ones.

Bitly broken

The popular link shortening service Bitly was compromised late last week. This means if you have or ever had a Bitly account, then you should consider the password you used for that account exposed. While the company believes that no user-accounts were or are at risk, it is still urging its customers to change their passwords. Bitly has also announced that it is implementing two-factor authentication as a result of the breach.

I will also urge you to change your Bitly account password if you have one. If you happened to use that same password for other accounts, then you are going to want to change the passwords for those services as well, which is why you should never use the same password on multiple accounts.

One last thing to point out, Bitly allows its users to link their Bitly account with their Facebook and Twitter accounts. This could have been problematic – allowing an attacker with access to your Bitly account potential access to your social accounts as well, but Bitly smartly invalidated all of those connections. You will have to re-authenticate those connections if you would like to reconnect the accounts. Unfortunately, you will also want to change the password for any social account you had linked with Bitly.

Patch Tuesday

Briefly, Patch Tuesday was this week, which means fixes for Adobe’s and Microsoft’s ubiquitous products, as well as patches for Google Chrome. Microsoft issued eight security bulletins – of which two were critical–fixing some 13 security vulnerabilities in its Internet Explorer Web browser and more in its other software. Adobe fixed some critical bugs in its Reader, Acrobat, and Flash players. Google fixed three highly rated security vulnerabilities in its Chrome browser (and paid $4500 to the researchers that found and reported the bugs).

While we’re at it, on the off chance that you want to get into some real insider-baseball stuff, we may as well mention that there was a fix for a five-year-old vulnerability in the Linux kernel and also a couple patches for some Yokogawa industrial infrastructure gear.

Make sure you’re up-to-date with the latest versions of your Microsoft and Adobe software and Chrome, too. You should also check on your Yokogawa systems and Linux distributions if you are into that sort of stuff.