A supplier of point-of-sale (POS) equipment based in northwest US has informed its clients of a security breach in the remote access system it uses to log into clients’ networks, meaning hackers could have used the system to intrude into the clients’ machines and potentially harvest customer payment card data.
The vendor in question is Information Systems and Supplies Inc. (ISS), operating out of Vancouver, Washington state.
In mid-June ISS sent a letter to some of its clients detailing the breach in its LogMeIn remote access management account and warning them of the risk to their customers.
Although several news outlets have suggested that the breach may have affected a selection of big-brand restaurant chains supplied by the vendor, including Dairy Queen, no definitive details have been released concerning which of ISS’ customers may have been affected by the leaked LogMeIn access codes, and there has so far been no evidence that data was indeed taken, let alone used for fraud or identity theft.
The details of potential leak victims seem to be based only on the public list of client testimonials formerly published on the ISS website, which at the time of writing is rather shamefacedly blank but when last archived by the Wayback Machine (January 2013) showed a number of chains including Dairy Queen, Buffalo Wild Wings and Taco Time, as well as several smaller local food outlets.
It seems fairly likely that the breach originated with some sort of phishing attack on ISS to obtain their LogMeIn credentials.
With those in hand, it seems the attackers were then able to access client systems set up for remote access at will, with confirmed breaches on February 28th, March 5th and April 18th.
In their letter to clients, ISS insist they have reset their passwords and enabled “a secondary unique password” (read two-factor authentication) to prevent future intrusions, and advises anyone who suspects their card has been compromised to contact their bank ASAP.
This is pretty good advice at any time, and something people should do whether or not they’ve been dining at restaurants which may have had their digital backdoors nosed into by strangers.
There are lots of situations where a company may want to allow a third party to access their computer systems, to install or provision new software or hardware, to maintain or troubleshoot, to monitor and record.
Letting someone else do this means trusting them and requiring of them the same standards of security and caution you yourself uphold.
Letting them do it using an ongoing remote connection should mean the third party firm, their networks and all their employees are considered part of your own security environment, and should be checked and monitored as closely as possible.
In many circumstances this is simply not possible, especially when the client is a small business such as a chain restaurant franchise and the third party is a much larger provider servicing a large number of clients; the larger body tends to use its weight to push its own agenda and preferences, and the smaller party in the arrangement has to simply trust them to do things right.
In this case, it seems things weren’t done right at all. Phishing is of course notoriously hard to spot, especially highly focused spearphishing, but with something as sensitive as a remote access tool connected to POS systems security should be given highest priority, and 2FA is a basic requirement in such circumstances.
Quite by coincidence, LogMeIn’s company blog, mostly used to promote the company’s range of services, has featured a couple of security related posts in the last few days since the ISS story hit the news, one covering the dangers of phishing and how to avoid them, and another listing “Customer Security Tips” with 2FA top of the list.
2FA features are apparently available in all LogMein solutions, and should be enabled and used wherever possible, as they should in all services which provide this vital extra layer of security.
Even if you have every conceivable layer of security turned up to the max at your end, you could still be at risk if you’re letting other people mess with your stuff unsupervised.
So make sure you insist on proper security from all contractors and service providers, and check they’re doing everything they should be too.