Multi-Unit Franchisee Magazine Issue II, 2014 | Page 70
Security BY DAVID ELLIS
Prevent Hacking
Horror Stories
Three online security failures to learn from
W
e hear hacking horror
stories every day. Businesses around the world
call us in a panic, needing to decipher what went wrong with
their security. Unfortunately, for many
franchisees and franchisors, these miscues are common. My hope in sharing
some details from three actual security
failures is that you will discover actions
you can take to enhance your own IT
security practices.
1) Pass the pepperoni and passwords,
please. Several small pizza chains used
the same restaurant management software and POS system. Sadly, hundreds
of those restaurants were hacked.
Once each restaurant’s POS system
was configured, the local restaurant owners did not change the default password
set by the payment application vendor. A
hacker easily deduced the password, infiltrated each POS system, and installed
a memory scraper (malware designed to
“scrape” sensitive information from system memory). This particular memory
scraper was designed to scrape customer
credit card information from each restaurant’s POS system, and thousands of
pizza lovers’ credit cards were stolen.
It’s typical for POS terminals and
other software/hardware solutions to
begin their lifecycle with default passwords. Default passwords make it easy
for IT vendors to install a system without learning a new password each time.
The problem is that default passwords
are often simple to guess; many are even
published on the Internet.
Passwords should be changed every 90
days, contain at least 10 upper and lower
case letters, and numbers, and special
characters. Passwords that fall short of
these criteria can usually be broken us-
68
MULTI-UNIT FRANCHISEE IS S UE II, 2014
ing a password-cracking tool.
Moral: Don’t leave your passwords in
their default state.
2) A picture is worth a thousand
hacks. A popular website-hosting service
gave customers the ability to log in to
their corporate server to upload website
images through the file transfer protocol
(FTP) feature.
In this example, an attacker hacked
the FTP upload and uploaded malicious
code onto the host’s servers. Because the
web-hosting service had access to each of
its customers’ websites, every client website was infected with malware designed
to capture credit card information from
checkout pages.
Why was the hacker able to access
credit card information in multiple accounts through a picture uploader? The
main problems in this scenario were a
lack of network segmentation and lack
of understanding that FTP is inherently insecure. The web-hosting service
shouldn’t have used FTP, and it should
have segmented their customer’s accounts.
(Segmentation is the act of using firewall
technology to compartmentalize network
areas that contain sensitive information—like customer credit cards—from
those that don’t.)
Moral: Don’t invite hackers to waltz into
your corporate server.
3) Compromise is just a password
away. An unfortunate franchisee with
hundreds of high-dollar restaurants hired
an IT company to configure their remote
access systems across multiple locations.
Remote access, the ability to access
a computer or server from a different
location, is often used in mid-sized to
large organizations for employees who
need access to shared files and company
networks, or by business owners log-
ging in from home or the road to view
the day’s receipts. Popular remote access
applications include pcAnywhere, VNC,
LogMeIn, and TeamViewer.
The IT company configured the remote access application with a single user
name and password authentication for
each restaurant location. Once a hacker
discovered the user name and password for
one location, he was then able to download malware into all of the restaurant’s
POS systems. This resulted in the theft
of thousands of customer credit cards.
This hack could easily have been prevented if the franchisee had complied
with the Payment Card Industry Data
Security Standard (PCI DSS), which
mandates that all remote access into the
cardholder environm ent requires twofactor authentication. This means that
in addition to entering a user name and
complex password, you must also complete a second secure login step, such as
physically calling an onsite manager to
be granted a remote session, entering a
one-time authentication code sent to a
specific cell phone, or matching unique
client-side certificate files.
Moral: Remote access is only as secure as
its authentication.
In my experience, these scenarios
highlight common problems in franchise
credit card security. I encourage you to
check your system to look for one or more
of these security vulnerabilities. Look for
default or non-complex passwords, install
security patches and updates, configure
your payment application securely, segment your credit card processing network
from all other networks, and ensure that
your remote access requires two-factor
authentication.
David Ellis is forensics
investigation director at SecurityMetrics and has more
than 25 years of security
experience. SecurityMetrics
is a data security and compliance company offering security consulting,
products, and services for businesses worldwide. For more information, visit securitymetrics.com or call 801-995-6858.