We hear hacking horror stories every day. Businesses around the world call us in a panic, needing to decipher what went wrong with their security. Unfortunately, for many franchisees and franchisors, these miscues are common. My hope in sharing some details from three actual security failures is that you will discover actions you can take to enhance your own IT security practices.
1) Pass the pepperoni and passwords, please.
Several small pizza chains used the same restaurant management software and POS system. Sadly, hundreds of those restaurants were hacked.
Once each restaurant's POS system was configured, the local restaurant owners did not change the default password set by the payment application vendor. A hacker easily deduced the password, infiltrated each POS system, and installed a memory scraper (malware designed to "scrape" sensitive information from system memory). This particular memory scraper was designed to scrape customer credit card information from each restaurant's POS system, and thousands of pizza lovers' credit cards were stolen.
It's typical for POS terminals and other software/hardware solutions to begin their lifecycle with default passwords. Default passwords make it easy for IT vendors to install a system without learning a new password each time. The problem is that default passwords are often simple to guess; many are even published on the Internet.
Passwords should be changed every 90 days, contain at least 10 upper and lower case letters, and numbers, and special characters. Passwords that fall short of these criteria can usually be broken using a password-cracking tool.
Moral: Don't leave your passwords in their default state.
2) A picture is worth a thousand hacks.
A popular website-hosting service gave customers the ability to log in to their corporate server to upload website images through the file transfer protocol (FTP) feature.
In this example, an attacker hacked the FTP upload and uploaded malicious code onto the host's servers. Because the web-hosting service had access to each of its customers' websites, every client website was infected with malware designed to capture credit card information from checkout pages.
Why was the hacker able to access credit card information in multiple accounts through a picture uploader? The main problems in this scenario were a lack of network segmentation and lack of understanding that FTP is inherently insecure. The web-hosting service shouldn't have used FTP, and it should have segmented their customer's accounts. (Segmentation is the act of using firewall technology to compartmentalize network areas that contain sensitive information--like customer credit cards--from those that don't.)
Moral: Don't invite customers to waltz into your corporate server.
3) Compromise is just a password away.
An unfortunate franchisee with hundreds of high-dollar restaurants hired an IT company to configure their remote access systems across multiple locations.
(Remote access, the ability to access a computer or server from a different location, is often used in mid-sized to large organizations for employees who need access to shared files and company networks, or by business owners logging in from home or the road to view the day's receipts. Popular remote access applications include pcAnywhere, VNC, LogMeIn, and TeamViewer.)
The IT company configured the remote access application with a single user name and password authentication for each restaurant location. Once a hacker discovered the user name and password for one location, he was then able to download malware into all of the restaurant's POS systems. This resulted in the theft of thousands of customer credit cards.
This hack could easily have been prevented if the franchisee had complied with the Payment Card Industry Data Security Standard (PCI DSS), which mandates that all remote access into the cardholder environment requires two-factor authentication. This means that in addition to entering a user name and complex password, you must also complete a second secure login step, such as physically calling an onsite manager to be granted a remote session, entering a one-time authentication code sent to a specific cell phone, or matching unique client-side certificate files.
Moral: Remote access is only as secure as its authentication.
In my experience, these scenarios highlight common problems in franchise credit card security. I encourage you to check your system to look for one or more of these security vulnerabilities. Look for default or non-complex passwords, install security patches and updates, configure your payment application securely, segment your credit card processing network from all other networks, and ensure that your remote access requires two-factor authentication.
David Ellis is forensics investigation director at SecurityMetrics and has more than 25 years of security experience. SecurityMetrics is a data security and compliance company offering security consulting, products, and services for businesses worldwide. For more information, visit securitymetrics.com or call 801-995-6858.