Point-of-Sale vendor loses password, causes breaches at 324 US restaurants

Even if you don’t speak French, there’s one famous saying you’ve probably heard.

Plus ça change, plus c’est la même chose.

It’s an epigram from 19th century French author and wit Jean-Baptiste Alphonse Karr, and it’s usually translated as “the more things change, the more they stay the same.”

In computer security, especially where data breaches are concerned, it really means, “What, AGAIN?”

Indeed, to continue in French, the latest data breach story from US food franchise Jimmy John’s and 108 other businesses will give you a disconcerting feeling of déjà vu.

Meaning that we’ve seen it all before.

Jimmy John’s problem

This latest tale of woe first hit the news back in July 2014, when it looked as though Jimmy John’s had a problem that came to light in fraud patterns noticed by US financial institutions.

Simply put, if your company shows up in a lot more card fraud complaints that the average, it’s a good guess that card data is being stolen from your network by industrial-scale cybercriminality.

These days, that usually means RAM scraping malware on all your cash registers, at least in the USA.

That’s because many, if not most, US merchants still use point-of-sale (PoS) devices that simply read the data off the magnetic stripe on your card.

The magstripe data is then transferred unencrypted to the PoS cash register, usually a Windows computer.

Even if the cash register software is careful to encrypt the card data before saving it to disk or sending it across the network, the data pops up briefly in memory, where enterprising malware can spot it and steal it.

Even data from cards that are declined, or have already expired, or are being swiped to receive a refund, will be sucked up by this technique.

Breach notification

It took a long time, but about two months later, Jimmy John’s officially documented its data breach.

It’s a story we’ve heard before:

[I]t appears that customers’ credit and debit card data was compromised after an intruder stole log-in credentials from Jimmy John’s point-of-sale vendor and used these stolen credentials to remotely access the point-of-sale systems at some corporate and franchised locations between June 16, 2014 and September 5, 2014.

Of course, if the point-of-sale vendor had remote access to one customer’s network, perhaps it had access to others, too?

And if one lot of stolen credentials could get the crooks into hundreds of different franchises in the Jimmy John’s ecosystem, perhaps the same credentials could open doors at those other customers, too?

Sadly, according to the next-level-up breach notice from Signature Systems, the point-of-sale vendor concerned, that’s what happened:

We have determined that an unauthorized person gained access to a user name and password that Signature Systems used to remotely access POS systems. The unauthorized person used that access to install malware designed to capture payment card data from cards that were swiped through terminals in certain restaurants.

The company doesn’t say which remote access software it used, and indeed that’s a detail that hardly matters, though Remote Desktop Protocol (RDP) is both a common and popular choice.

The initial paragraph of the Signature Systems report suggests that the problem was dealt with quickly:

We were alerted to a potential issue at one restaurant on July 30, 2014. We immediately began an investigation and found malware on a POS device at that restaurant that had not been detected by the restaurant’s anti-virus program. We removed the malware and engaged a leading computer security firm to investigate every POS system and help us implement enhanced security measures.

But for all that the investigation began “immediately” on 30 June 2014, Signature Systems’ list of breached customers shows that the earliest malware removal after this date didn’t happen until 17 July 2014.

Some customers weren’t cleaned up until 18 September 2014; others are still in an unknown state, and “the investigation to determine this latest at risk date is ongoing.”

Remote access irony

Ironically, the one thing that really ought to make it easier and faster to keep rogue software in check on a customer’s PoS network…

…is a remote access tool that lets you perform administrative tasks from afar.

Indeed, you can just imagine a sales representative pitching this as a distinct advantage of allowing remote access in the first place.

But remote access is a double-edged sword that needs wielding carefully.

What to do?

What can you do if you are a merchant who has outsourced your payment card processing?

How can you tell if your PoS vendor has a single remote access password for everwhere, like Signature Systems seems to have done?

PoS vendors who insist on remote access to your network should be able to answer at least the following questions to your satisfaction:

  • What technology they use (e.g. RDP).
  • How they secure it (e.g. with two-factor authentication).
  • Who has access (e.g. vetted support technicians only).
  • What they use it for (e.g. installing updates).
  • How they keep access to your network separate from other customers.
  • How access by their staff is reviewed (e.g. what they do with the logs).
  • How quickly you will be told if irregularities are spotted.

Don’t be afraid to ask.

If you are giving an outsider the keys to your commercial kingdom, you should expect informative and educational answers!

Learn more about two-factor authentication

(Audio player above not working? Download the MP3, or listen on Soundcloud.)

Secure your home network
with the free Sophos UTM Home Edition
Click to go to download page...

Image of magstripe swipe courtesy of Shutterstock.