Solutionary Minds - Your Information Security Blog Source

I often wonder when I give my credit card to the restaurant server or kid behind the fast food counter, if my credit card information is really being protected. You always hear the horror stories of the service employee who is copying the credit card information in the back room that will later be used in some fraudulent way. For as little as $25, anyone can buy card scanners that either stand alone, or easily connect to an iPhone or other smart device. This brings me to today’s subject. You may have recently heard of a security incident involving a high profile sandwich shop chain that resulted in the loss of credit card information. I won’t disclose the name, but we can all tell by the picture below. This incident involved about 150 sandwich shops and over 80,000 customers.

Low Tech Sandwich Making (and Hacking)

Just as sandwich making is “low tech”, so were the alleged hacking methods of our eastern European friends. (The US District Court in New Hampshire has indicted four Romanian individuals in this particular case). The attack was simple. Scan for low hanging fruit, brute force login to the vulnerable POS system, install malware and extract the credit card information. Once the credit card information was gathered, they simply used the stolen data to produce fake credit cards and proceeded to go on a spending spree. The remaining black market value of the data was sold off to other hackers.

Hacking Details (Secret Sauce)

Targeted Port Scans:

The hackers performed targeted port scans looking specifically for remote facing POS systems that had remote desktop services enabled. This of course is a huge “no no” in terms of both PCI compliance requirements and general security best practices. This service should be disabled in most cases. At a minimum the systems should have enabled two-factor authentication and encryption.

Brute Force Login:

Once the vulnerable systems were identified, the hackers needed to simply login to compromise the system. It still amazes me how many times default passwords are unchanged or changed to obvious words such as “password”, or “qwertyui” or “12345678” because they might be easier to remember (and, unfortunately, easier to guess).

Malware Installation:

Once the system was compromised, the hackers installed key logging and back door utilities to gather the credit card information. Apparently, they also installed software to prevent any further security updates.

Credit Card Data Extraction:

One interesting piece here was that the hackers employed ‘FTP Dump” sites to store the stolen data. In this case there was cooperation from the FTP Dump vendors as part of the investigation.

The Bottom Line

Apparently, the franchise owners in this case were provided security guidelines to prevent this type of incident. Unfortunately, it appears that these guidelines were mostly ignored by the franchise owners. I chalk this up to the age old saying; “I am a (insert business type here), who would want to steal anything I have?” This may have all been avoided by following some basic security practices:

•    Understand the true value of exactly what data you have in your environment (i.e., credit card data)
•    Determine the compliance standards that are appropriate to that data and your business
•    Perform a compliance based gap assessment of your environment
•    Remediate any gaps associated with the assessment
•    Avoid a “checkbox” security compliance approach –be honest with yourself about the real world threats and how they may affect your business
•    Blend a reasonable risk based security best practices approach along with compliance requirements applicable to your business
•    Do not develop a false sense of security that the hackers don’t want what you have

Until Next Time

Thanks very much for reading my friends. Until next time, and as always, ride safe, crank up the tunes, and stay secure!