Every day there seems to be a new "security breach" making the news. We hear a lot more that don't make the news. Businesses from all over the world call us in a panic, trying to figure out what went wrong with their online security. Unfortunately, for many franchise systems, these miscues are common. My hope in sharing some details from three actual security failures is that you will discover actions you can take to enhance your own IT security practices.
1) Please pass the pepperoni - and the passwords. Several small pizza chains used the same restaurant management software and POS system. Sadly, hundreds of those restaurants were hacked.
Once each restaurant's POS system was configured, the local restaurant owners did not change the default password set by the payment application vendor. A hacker easily deduced the password, infiltrated each POS system, and installed a memory scraper (malware designed to "scrape" sensitive information from system memory). This particular memory scraper was designed to scrape customer credit card information from each restaurant's POS system, and thousands of pizza lovers' credit cards were stolen.
It's typical for POS terminals and other software/hardware solutions to begin their lifecycle with default passwords. Default passwords make it easy for IT vendors to install a system without learning a new password each time. The problem is that default passwords are often simple to guess; many are even published on the Internet.
Passwords should be changed every 90 days, contain at least 10 upper and lower case letters, and numbers, and special characters. Passwords that fall short of these criteria can usually be broken using a password-cracking tool.
Lesson: Don't leave your passwords in their default state.
2) A picture is worth a thousand hacks. A popular website-hosting service gave customers the ability to log in to their corporate server to upload website images through the file transfer protocol (FTP) feature.
In this example, an attacker hacked the FTP upload and uploaded malicious code onto the host's servers. Because the web-hosting service had access to each of its customers' websites, every client website was infected with malware designed to capture credit card information from checkout pages.
Why was the hacker able to access credit card information in multiple accounts through a picture uploader? The main problems in this scenario were a lack of network segmentation and lack of understanding that FTP is inherently insecure. The web-hosting service shouldn't have used FTP, and it should have segmented their customer's accounts. (Segmentation is the act of using firewall technology to compartmentalize network areas that contain sensitive information--like customer credit cards - from those that don't.)
Lesson: Don't invite hackers to waltz into your corporate server.
3) Compromise is just a password away. An unfortunate franchisee with hundreds of high-dollar restaurants hired an IT company to configure their remote access systems across multiple locations.
Remote access, the ability to access a computer or server from a different location, is often used in mid-sized to large organizations for employees who need access to shared files and company networks, or by business owners logging in from home or the road to view the day's receipts. Popular remote access applications include pcAnywhere, VNC, LogMeIn, and TeamViewer.
The IT company configured the remote access application with a single user name and password authentication for each restaurant location. Once a hacker discovered the user name and password for one location, he was then able to download malware into all of the restaurant's POS systems. This resulted in the theft of thousands of customer credit cards.
This hack could easily have been prevented if the franchisee had complied with the Payment Card Industry Data Security Standard (PCI DSS), which mandates that all remote access into the cardholder environment requires two-factor authentication. This means that in addition to entering a user name and complex password, you must also complete a second secure login step, such as physically calling an onsite manager to be granted a remote session, entering a one-time authentication code sent to a specific cell phone, or matching unique client-side certificate files.
Lesson: Remote access is only as secure as its authentication.
In my experience, these scenarios highlight common problems in franchise credit card security. I encourage you to check your system to look for one or more of these security vulnerabilities. Look for default or non-complex passwords, install security patches and updates, configure your payment application securely, segment your credit card processing network from all other networks, and ensure that your remote access requires two-factor authentication.
A targeted, quarterly magazine that takes CEO's, VPs and Sales Executives to the cutting edge of franchise development.