The point of sale (POS) refers to the place where customers purchase goods or services from a business, and a POS system incorporates devices and networking capabilities that support this practice. POS devices can include everything from cash registers to mobile devices like tablets and smartphones. These devices are networked to backend servers that process and store transactional data, payment card data, and more.
Exploiting the frontend devices in a POS system might enable you to access sensitive sales and financial data. Mobile devices might be more familiar to you, but typically incorporate better security practices than older specialized devices like payment card terminals and barcode scanners. Compromising these devices can enable you to read or manipulate payment information before it is sent to a server for processing and storage.
There might also be opportunities for you to compromise the backend servers in a POS system. For example, researchers discovered that SAP POS systems failed to authenticate command requests, enabling anyone connected to the network to upload a configuration file to the checkout server to gain access to administrative functionality. An attacker could use this functionality to change prices, read sensitive payment data, or trigger a DoS on the POS system. Because the backend server is likely to be running a common operating system such as Windows or Linux, with a SQL Server database installed, it is vulnerable to all of the same attacks as any other server. Retail stores tend to be large and open to the public. It could be easy for an attacker to simply find an Ethernet cable and plug their attack machine into the network.