Security researchers have devised a way to offer steep discounts or steal goods by hacking vulnerable point-of-sale systems.
The researchers at cybersecurity firm ERPScan, which has a commercial stake in the space, found that SAP's point-of-sale (POS) systems don't authenticate or check internal commands, allowing anyone with access to the store's network unrestricted access to the checkout system. That might not be so difficult when various devices and machines around the store are also ethernet-connected, making a plug and play-style attack easier than others.
All the hacker has to do is upload a new configuration file to the SAP Xpress server, which controls the checkout machines, to gain access to administrative functions.
That access allows the unauthenticated hacker to change prices, set discounts, or take other malicious actions against the systems -- including remotely shutting down the checkout machines, or unmasking credit card numbers.
"Stealing credit card numbers, setting up prices and special discounts, remote starting and stopping a POS terminal -- all of these options are on the hacker's menu," said Alexander Polyakov, chief technology officer at ERPScan.
The researchers say that the "price of $1" to buy a MacBook, which they used as an example in their testing "is an exaggeration," but noted that a cashier may overlook a discount of the priced item.
According to Dmitry Chastuhin, one of the researchers who identified the vulnerabilities, the flaw may be inherent across POS systems because they all use broadly similar infrastructures.
"Once an attacker is in the network, he or she gains full control of the system, including prices and credit card data information," said Chastuhin.
"That's unbelievable how woefully insecure we are when just swiping a card," he said.
SAP has since fixed the vulnerabilities and rolled out patches.
In recent years, POS systems have become a target for hackers for stealing customer data and committing fraud.
While some POS systems use proprietary software, many are Windows-based. When these are connected to the internet and rarely updated (if ever), systems are at further risk of malware attacks.
Some of the largest data breaches, notably Target's, have been caused by hackers targeting POS systems. Hackers siphoned off data on 70 million customers from Target's systems in 2014 using off-the-shelf malware. Several other high profile outlets have also been hit by similar breaches.
Last year, Oracle revealed it was investigating a breach of its Micros POS systems, a division that ranks as one of the top POS makers globally with more than 330,000 sites across 180 countries.
POS attacks cost retailers and customers billions every year.
The number of attacks on POS systems, including ransomware attacks, are said to be declining, however.