BETTER Mobile Security110 Fifth AvenueNew York, NY 10023

+1 877-710-5636info@better.mobi

All trademarks and registered trademarks contained herein are property of their respective holders. Rather than identifying a trademark by symbol with every occurrence, names and logos are used in an editorial fashion, with no intention of infringement of the respective owner’s property.

www.BETTER.mobi

White Paper

14 Best Practices forSecuring Mobile POS DevicesMinimize Your Mobile POS Security Challenges

2

Why Should Retailers Care NowRetailers increasingly rely on mobile devices to deliver a host of innovative point of sale services and strengthen relationships with customers. Mobile POS (MPoS) apps that check inventory, show customers an “endless aisle” of online items related to their in-store purchase for use in upselling, or improve customer engagement and follow up through “clienteling” services are just a few examples.

Security is a growing concern. You need to keep customer data safe, particularly if that data is customer account information subject to PCI regulations. Yet security for mobile devices lags that of PCs even as attackers are increasingly drawn to mobile devices by the lure of digital wallets, currency, and services such as PayPal, Apple Pay, and Alipay. With the recent spate of high-profile retail security breaches, including hacks of Target, Neiman Marcus, and Michaels, it’s only a matter of time before MPoS devices become targets for hackers and intruders.

Ensuring a high level of security for MPoS devices requires you to continuously monitor and verify what’s happening on the device, apps, and network as well as actively detect and prevent threats in real time. Work closely with your hardware vendor and third-party security experts to put in place the following 14 best practices to minimize the risk.

Address Operational Challenges

1. Provide role-based access control. IT should be able to control mobile devices with a high a degree of granularity. For example, when sales floor associates have full access to “Settings” on the MPoS, they can access any free Wi-Fi network or download the latest iOS updates. Hackers can even install a proxy and divert sales transactions to their servers. To limit the ability to change settings, implement role-based access controls.

2. Prevent local caching of credentials. When a device caches credentials locally, an attacker can use them to access databases containing sensitive information. Make sure your solution allows you to disable local caching.

3. Implement multi-factor authentication. Some applications allow sales floor associates to employ the same credentials to logon to multiple applications. While this improves convenience, it means breaches have a broader impact. Use multi-factor authentication to strength access protection.

Prevent File Transfers

4. Shut down Bluetooth. Apple devices come with AirDrop, a utility that uses Bluetooth to transfer files from one device to another. Attackers can use AirDrop to send data from the device or load malicious software onto it. Look for a solution that allows you to disable Bluetooth.

5. Disable email and iMessages. When sales floor associates add a personal email or iMessage account to the device, attackers can use the account to send information from the device or load malicious software on it. Employ a solution that allows you to disable the native email and iMessaging applications.

6. Monitor iCloud. Apple iCloud automatically keeps data up-to-date across multiple devices. But if hackers access the account, they can remotely wipe the device or track its location. Look for a solution that detects iCloud account status and monitors suspicious behavior.

Disallow Malicious Files, Certificates and Network Connections

7. Verify application legitimacy. When users download applications, you need to be sure those applications are legitimate and not malware looking to infect the device. Look for a solution that can detect malware and remediate the problem.

8. Monitor certificates. If a sales floor associate is tricked into accepting a CA certificate on their mobile device, the attacker could decrypt SSL messages and access sensitive information. Look for a solution that can detect certificates and take actions such as warning associates or blocking apps.

9. Manage network connections. When devices access unauthenticated wireless networks, they’re vulnerable to man-in-the-middle attacks. Implement a solution that detects when the device is running on an unknown network and closes the app, locks the device, or disables network settings if a MitM attack occurs.

Train Users

10. Communicate guidelines. Sales floor associates can be a weak link. Be sure to communicate what they should and shouldn’t do to ensure security. Also implement processes that hold floor sales associates accountable for checking devices in when they complete their shifts.

Test, Monitor and Report

11. Test for vulnerabilities. Conduct ongoing penetration testing to detect whether hackers are able to access the device.

12. Monitor and Report. Also install a solution that continually monitors the device and reports on whether the software deviates from corporate standards. This allows IT to quickly spot potential security threats, lock the device down, investigate what’s happening, and create policies for mitigating security issues.

Develop Deep Vendor Partnerships

13. Partner with your vendor. As your vendor upgrades the OS and releases security patches, be sure to stay up-to-date. This means partnering with your vendor’s product team, as well as working to ensure that the vendors of supporting products keep up with new versions, new OS capabilities or design changes. You may need to replace unsupported peripherals.

14. Implement enterprise capabilities. Both Apple and Android offer enterprise capabilities that provide additional controls. For example, Apple Supervision mode has more than 100 additional controls you can leverage to enable greater security and standardization. Be sure to implement these controls.

Retailers have increasingly become the targets of high profile break-ins. As they continue to take greater advantage of insecure mobile devices, the risks of security breaches from this point of entry will only grow. By implementing these 14 MPoS security best practices, you can minimize the risk of attacks and ensure you have the right measures in place should a breach occur.

To learn more about how to keep your MPoS devices secure, go tohttp://bitly.com/SecureMPoS or contact me at purna.bhat@better.mobi

3

BETTER Mobile Security110 Fifth AvenueNew York, NY 10023

+1 877-710-5636info@better.mobi

www.BETTER.mobi

About the AuthorPurna Bhat is a technology executive at BETTER Mobile Security, helping CIOs address their operational and security challenges in Mobility. He often advises retailers on how to embed security into their mobile strategy. For nearly 20 years previously, he has acted in leadership roles for various IT consulting firms, assessing IT security and delivered complex security solutions for Fortune 1000 enterprises across the globe in retail, financial services, healthcare and other verticals. For more information about Purna, visit www.linkedin.com/in/purnabhat/

About BETTER MobileBETTER offers an all-in-one mobile security platform that adds advanced threat detection, prevention, and remediation to your existing Mobile Device Management/Enterprise Mobility Management (MDM/EMM) solution. BETTER provides enterprises complete endpoint visibility, security, and control through real-time, self-protecting advanced mobile threat detection and prevention. With BETTER, you gain mobile application visibility and risk-based intelligence and can add security controls to any app outside of a secured container to satisfy any existing security requirements. You can do this quickly and automatically without any coding or wrapping.

For more information, please visit www.better.mobi

4