These three businesses had no idea it was coming.

David Ellis, Director of Forensic Investigations
By: David Ellis
This article was also featured in Multi-Unit Franchisee: “Prevent Hacking Horror Stories

We hear hacking horror stories every day. Businesses around the world call us in a panic, needing to decipher what went wrong with their security. I thought I’d share some details from actual incidents. Unfortunately, these miscues are common in many small businesses. My hope is, after reading about these security failures, you will see actions you can take to enhance your own security.

SEE ALSO: What To Do If Your Business is Hacked, Step By Step

#1: Pass the pepperoni and passwords, please

This first incident involved several small pizza chains that utilized the same restaurant management software, and point of sale (POS) hardware/software. Sadly, hundreds of those restaurants were hacked.

Once each restaurant’s POS system was configured, the local restaurant owners did not change the default POS password set by the payment application vendor. A hacker easily deduced the password, infiltrated each POS system and installed a memory scraper.

SEE ALSO: Vendor-Supplied Defaults Are a Serious Threat

A memory scraper is malware (malicious software) designed to ‘scrape’ sensitive information from system memory (RAM). This memory scraper was specifically designed to scrape customer credit card information from each restaurant’s POS system. Thousands of pizza-lovers’ credit cards were stolen.

Moral: Don’t leave your passwords in their default state

It’s typical for POS terminals and other software/hardware solutions to begin their lifecycle with default passwords. Default passwords make it easy for IT vendors to install a system without learning a new password each time. The problem is that default passwords are often simple to guess, and many are even published on the Internet.
Passwords should be changed every 90 days, contain at least 10 upper AND lower case letters, AND numbers, AND special characters. Passwords that fall short of these criteria can usually be broken using a password-cracking tool.
Tweet: Passwords without these criteria can usually be broken using a password-cracking tool. http://bit.ly/1u78G6Z via @SecurityMetricsTweet
SEE ALSO: HIPAA Compliant Passwords

#2: A picture is worth a thousand hacks

A popular website hosting service gave customers the ability to log in to their corporate server to upload website images through the file transfer protocol (FTP) feature. An attacker hacked the FTP upload and uploaded malicious code onto the host’s servers.
Because the web-hosting service had access to each of its customers’ websites, every client website was infected with malware designed to capture credit card information from checkout pages.

Moral: Don’t invite customers to waltz into your corporate server

Why was the hacker able to access credit card information in multiple accounts through a picture uploader? The main problems in this scenario were a lack of network segmentation and lack of understanding that FTP is inherently insecure. The web-hosting service shouldn’t have utilized FTP, and should have segmented their customer’s accounts from one another.

Segmentation is the act of using firewall technology to compartmentalize network areas that contain sensitive information (like customer credit cards) from those that don’t.


#3: Compromise is just a password away

An unfortunate franchisee with hundreds of high dollar restaurants hired an IT company to configure their remote access systems across multiple locations.

Remote access is the ability to access a computer or server from a remote location. It’s often used in mid-large organizations among employees who need access to shared files and company networks, or by business owners logging in from home to view the day’s receipts. Popular remote access applications include pcAnywhere, VNC, LogMeIn, TeamViewer.

SEE ALSO: Securing Remote Access in Healthcare Environments

The IT company configured the remote access application with a single username and password authentication for each restaurant location. Once a hacker discovered the username and password for one location, he was then able to download malware into all of the restaurant’s POS systems. This resulted in the theft of thousands of customer credit cards.

Moral: Remote access is only as secure as its authentication

This hack could easily have been prevented if the franchisee had complied with the Payment Card Industry Data Security Standard (PCI DSS), which mandates that all remote access into the cardholder environment requires two-factor authentication. This means in addition to entering a username and complex password, you must also complete a second secure login step, such as physically calling an onsite manager to be granted a remote session, entering a one-time authentication code sent to a specific cell phone, or matching unique client-side certificate files.

Summary

In my experience, these scenarios highlight common problems in small business credit card security. I encourage you to check your system to see if one or more of these security vulnerabilities exist. Look for default or non-complex passwords, install security patches and updates, configure your payment application securely, segment your credit card processing network from all other networks, and ensure your remote access requires two-factor authentication.

If you liked this post, please share!

David Ellis (GCIH, QSA, PFI, CISSP) is Director of Forensic Investigations at SecurityMetrics with over 25 years of law enforcement and investigative experience. Check out his other blog posts.

Monday, September 8, 2014