Franchise Update Media
Franchise Update Media Digital
Publications
Conferences Education Videos Subscribe
Advertise

Prevent Hacking Horror Stories: 3 Online Security Failures To Learn From

We hear hacking horror stories every day. Businesses around the world call us in a panic, needing to decipher what went wrong with their Unfortunately, for many franchisees and franchisors, these miscues are common. My hope in sharing some details from three actual failures is that you will discover actions you can take to enhance your own IT security practices.

1) Pass the pepperoni and passwords, please.
Several small chains used the same management software and POS system. Sadly, hundreds of those restaurants were hacked.

Once each restaurant's POS system was configured, the local restaurant owners did not change the default password set by the payment application vendor. A hacker easily deduced the password, infiltrated each POS system, and installed a memory scraper (malware designed to "scrape" sensitive information from system memory). This particular memory scraper was designed to scrape customer credit card information from each restaurant's POS system, and thousands of pizza lovers' credit cards were stolen.

It's typical for POS terminals and other software/hardware solutions to begin their lifecycle with default passwords. Default passwords make it easy for IT vendors to install a system without learning a new password each time. The problem is that default passwords are often simple to guess; many are even published on the Internet.

Passwords should be changed every 90 days, contain at least 10 upper and lower case letters, and numbers, and special characters. Passwords that fall short of these criteria can usually be broken using a password-cracking tool.

Moral: Don't leave your passwords in their default state.

2) A picture is worth a thousand hacks.
A popular website-hosting service gave customers the ability to log in to their corporate server to upload website images through the file transfer protocol (FTP) feature.

In this example, an attacker hacked the FTP upload and uploaded malicious code onto the host's servers. Because the web-hosting service had access to each of its customers' websites, every client website was infected with malware designed to capture credit card information from checkout pages.

Why was the hacker able to access credit card information in multiple accounts through a picture uploader? The main problems in this scenario were a lack of network segmentation and lack of understanding that FTP is inherently insecure. The web-hosting service shouldn't have used FTP, and it should have segmented their customer's accounts. (Segmentation is the act of using firewall technology to compartmentalize network areas that contain sensitive information--like customer credit cards--from those that don't.)

Moral: Don't invite customers to waltz into your corporate server.

3) Compromise is just a password away.
An unfortunate franchisee with hundreds of high-dollar restaurants hired an IT company to configure their remote access systems across multiple locations.

(Remote access, the ability to access a computer or server from a different location, is often used in mid-sized to large organizations for employees who need access to shared files and company networks, or by business owners logging in from home or the road to view the day's receipts. Popular remote access applications include pcAnywhere, VNC, LogMeIn, and TeamViewer.)

The IT company configured the remote access application with a single user name and password authentication for each restaurant location. Once a hacker discovered the user name and password for one location, he was then able to download malware into all of the restaurant's POS systems. This resulted in the theft of thousands of customer credit cards.

This hack could easily have been prevented if the franchisee had complied with the Payment Card Industry Data Security Standard (PCI DSS), which mandates that all remote access into the cardholder environment requires two-factor authentication. This means that in addition to entering a user name and complex password, you must also complete a second secure login step, such as physically calling an onsite manager to be granted a remote session, entering a one-time authentication code sent to a specific cell phone, or matching unique client-side certificate files.

Moral: Remote access is only as secure as its authentication.

In my experience, these scenarios highlight common problems in franchise credit card security. I encourage you to check your system to look for one or more of these security vulnerabilities. Look for default or non-complex passwords, install security patches and updates, configure your payment application securely, segment your credit card processing network from all other networks, and ensure that your remote access requires two-factor authentication.

David Ellis is forensics investigation director at SecurityMetrics and has more than 25 years of security experience. SecurityMetrics is a data security and compliance company offering security consulting, products, and services for businesses worldwide. For more information, visit securitymetrics.com or call 801-995-6858.

Social Reach:

Viewer Response:

comments powered by Disqus
 

Hot Opportunities

Doc Popcorn Franchise Opportunity

Doc Popcorn
Doc Popcorn is revolutionizing the way people snack in high-traffic...

Add
Jimmy John's Gourmet Sandwich Shops Franchise Opportunity

Jimmy John's Gourmet Sandwich Shops
Jimmy John's franchise success is built upon an unyielding commitment to...

Add
Papa Murphy's Take 'N' Bake Pizza Franchise Opportunity

Papa Murphy's Take 'N' Bake Pizza
The world's largest, fastest growing Take 'N' Bake pizza franchise is...

Add
Bricks 4 Kidz Franchise Opportunity

Bricks 4 Kidz
Bricks 4 Kidz provides project-based programs designed to teach principles...

Add
Oxi Fresh Franchise Opportunity

Oxi Fresh
OXI FRESH is a GREEN Carpet Cleaning Franchise and one of Entrepreneur's...

Add
Physicians WEIGHT LOSS Centers Franchise Opportunity

Physicians WEIGHT LOSS Centers
Be a part of the growing $61 billion dollar weight loss business....

Add
Wayback Burgers Franchise Opportunity

Wayback Burgers
A Waybetter opportunity. We now have agreements in 24 states, closing in...

Add
Pump It Up Franchise Opportunity

Pump It Up
If you love the idea of owning a small business and you enjoy the thought...

Request Information


The Franchise Buzz:


A Franchise Update Media Group Production Franchise Update Media Group | P.O. Box 20547 // San Jose, CA 95160 // PH. (408) 402-5681
Copyright © 2001 - 2014. All Rights Reserved. Site Hosting Provided By: wishVPS on FUMG3
0
Your Request List:
No Opportunities Saved