In 2016, the U.S. Postal Service managed 31,585 retail offices serving 877 million customers. To reduce wait-time-in-line and expedite customer transactions, the Postal Service developed the mobile Point-of-Sale (mPOS) system. mPOS is a mobile system that allows retail associates to accept credit card and non-PIN debit card payments for customers’ retail transactions. In fiscal year (FY) 2016, the mPOS system processed over 26 million transactions totaling about [redacted] million in revenue. As of May 2017, there were a total of 3,037 mPOS devices at high-volume retail units.
Like other retail systems, mobile retail systems are vulnerable to the same malware attacks as traditional payment systems, laptops, and other electronic devices.
Our objective was to determine if the mPOS devices and application are managed in accordance with Postal Service policy and best practices.
What the OIG Found
The Postal Service did not manage the mPOS devices and application in accordance with its policies and best practices. We reviewed access to the mPOS application and found that management should have disabled or removed accounts due to inactivity according to Postal Service policy. Specifically, [redacted] of 39,112 active accounts ([redacted] percent) have not been accessed in over [redacted] days. This occurred because management bulk-loaded accounts into mPOS based on user access to the lobby retail system and did not regularly review and validate users’ need for mPOS access.
We also determined that all mPOS devices are running on [redacted]. This occurred because management did not have a process to ensure that they updated all mPOS devices when new operating system versions are available. Additionally, the Postal Service was unable to upgrade some devices [redacted]. In FY 2016, management approved the upgrade of all mPOS devices to the latest hardware by February 2018.
When system access, devices, and the application are not properly managed, there is an increased risk that the mPOS system could be exploited. For example, a [redacted].
Management also does not adequately train mPOS users. Specifically, [redacted] of 26,786 ([redacted] percent) active mPOS users with transaction activity did not receive mandatory mPOS user training. Management does not have a process to ensure that employees have completed mandatory training prior to using the mPOS application. Improperly trained employees could lead to errors resulting in (1) reduced confidence in the Postal Service brand, (2) increased customer wait-time-in-line causing customers to use a competitor, or (3) unintentionally mishandled customer data and credit card information.
Finally, approved security standards for the mPOS devices and application did not exist. This occurred because the CISO recently re-established a dedicated security standards team and has been working through a backlog of outdated standards. [Redacted].
What the OIG Recommended
We recommended management:
- Disable or delete unnecessary mPOS application user accounts and implement a process to ensure accounts are maintained in accordance with Postal Service policies.
- Upgrade mPOS devices as described in the approved decision analysis report, and develop a process to ensure all mPOS devices are updated to current [redacted].
- Develop and implement a process to ensure that employees receive mPOS training prior to granting them access to the mPOS application.
- Implement security standards for the mPOS devices and application.