Sophos Cloud Optix
Even if you don’t speak French, there’s one famous saying you’ve probably heard.
Plus ça change, plus c’est la même chose.
It’s an epigram from 19th century French author and wit Jean-Baptiste Alphonse Karr, and it’s usually translated as “the more things change, the more they stay the same.”
In computer security, especially where data breaches are concerned, it really means, “What, AGAIN?”
Indeed, to continue in French, the latest data breach story from US food franchise Jimmy John’s and 108 other businesses will give you a disconcerting feeling of déjà vu.
Meaning that we’ve seen it all before.
Jimmy John’s problem
This latest tale of woe first hit the news back in July 2014, when it looked as though Jimmy John’s had a problem that came to light in fraud patterns noticed by US financial institutions.
Simply put, if your company shows up in a lot more card fraud complaints that the average, it’s a good guess that card data is being stolen from your network by industrial-scale cybercriminality.
These days, that usually means RAM scraping malware on all your cash registers, at least in the USA.
That’s because many, if not most, US merchants still use point-of-sale (PoS) devices that simply read the data off the magnetic stripe on your card.
The magstripe data is then transferred unencrypted to the PoS cash register, usually a Windows computer.
Even if the cash register software is careful to encrypt the card data before saving it to disk or sending it across the network, the data pops up briefly in memory, where enterprising malware can spot it and steal it.
Even data from cards that are declined, or have already expired, or are being swiped to receive a refund, will be sucked up by this technique.
Breach notification
It took a long time, but about two months later, Jimmy John’s officially documented its data breach.
It’s a story we’ve heard before:
[I]t appears that customers’ credit and debit card data was compromised after an intruder stole log-in credentials from Jimmy John’s point-of-sale vendor and used these stolen credentials to remotely access the point-of-sale systems at some corporate and franchised locations between June 16, 2014 and September 5, 2014.
Of course, if the point-of-sale vendor had remote access to one customer’s network, perhaps it had access to others, too?
And if one lot of stolen credentials could get the crooks into hundreds of different franchises in the Jimmy John’s ecosystem, perhaps the same credentials could open doors at those other customers, too?
Sadly, according to the next-level-up breach notice from Signature Systems, the point-of-sale vendor concerned, that’s what happened:
We have determined that an unauthorized person gained access to a user name and password that Signature Systems used to remotely access POS systems. The unauthorized person used that access to install malware designed to capture payment card data from cards that were swiped through terminals in certain restaurants.
The company doesn’t say which remote access software it used, and indeed that’s a detail that hardly matters, though Remote Desktop Protocol (RDP) is both a common and popular choice.
The initial paragraph of the Signature Systems report suggests that the problem was dealt with quickly:
We were alerted to a potential issue at one restaurant on July 30, 2014. We immediately began an investigation and found malware on a POS device at that restaurant that had not been detected by the restaurant’s anti-virus program. We removed the malware and engaged a leading computer security firm to investigate every POS system and help us implement enhanced security measures.
But for all that the investigation began “immediately” on 30 June 2014, Signature Systems’ list of breached customers shows that the earliest malware removal after this date didn’t happen until 17 July 2014.
Some customers weren’t cleaned up until 18 September 2014; others are still in an unknown state, and “the investigation to determine this latest at risk date is ongoing.”
Remote access irony
Ironically, the one thing that really ought to make it easier and faster to keep rogue software in check on a customer’s PoS network…
…is a remote access tool that lets you perform administrative tasks from afar.
Indeed, you can just imagine a sales representative pitching this as a distinct advantage of allowing remote access in the first place.
But remote access is a double-edged sword that needs wielding carefully.
What to do?
What can you do if you are a merchant who has outsourced your payment card processing?
How can you tell if your PoS vendor has a single remote access password for everwhere, like Signature Systems seems to have done?
PoS vendors who insist on remote access to your network should be able to answer at least the following questions to your satisfaction:
- What technology they use (e.g. RDP).
- How they secure it (e.g. with two-factor authentication).
- Who has access (e.g. vetted support technicians only).
- What they use it for (e.g. installing updates).
- How they keep access to your network separate from other customers.
- How access by their staff is reviewed (e.g. what they do with the logs).
- How quickly you will be told if irregularities are spotted.
Don’t be afraid to ask.
If you are giving an outsider the keys to your commercial kingdom, you should expect informative and educational answers!
Learn more about two-factor authentication
(Audio player above not working? Download the MP3, or listen on Soundcloud.)
Secure your home network
with the free Sophos UTM Home Edition
Image of magstripe swipe courtesy of Shutterstock.
Why oh Why? Why do we still have POS or any other systems for that matter, directly and permanently connected to the Internet? Implement network segregation and firewalling. Your POS is on its own isolated network, connects to the credit card processing server ONLY (be it firewall, proxy, something that lets only THAT through). When you need your vendor to remote in, challenge them. If they really need to remote in, then allow the remote access only for that time period. If you use RDP, then you only allow the vendor’s IP through, and only for that period.
You don’t need to hire a “leading security firm” – you just need to stop being … well stupid.
It’s a POS computer for crying out loud, not where you’re going to be posting on Facebook so why give it all the access in the world?
Typically, companies that outsource their card payment systems do so partly because they don’t understand the technology and they don’t want to. What IT staff they have are probably overworked, underfunded, ignored, and don’t get time or money from the company to bolster their training.
It is very common for companies to neglect the essential infrastructure their business relies on, especially if management doesn’t directly understand it. It’s the same reason businesses are so much more willing to spend $6k on a server than $500 to make the server room an organized and safe place to work in (for people or servers). Security is even worse because it’s harder to see, harder to understand, and doesn’t kill enough people for society to care (death rates being the only reason we have fire codes or sewage systems).
I (almost) completely agree. One point: It’s still a good idea to have a security firm or contractor give your systems a look periodically. Even the best of us make mistakes, mistakes which another pair of eyes might catch.
The White House/Secret Service breach of a few days ago is a good example. This is despite the fact that it’s physical security, not informational. The principle is the same: They should be hiring unrelated security people to test their security.
In the case of Jimmy John’s, “unrelated” means a security contractor not directly employed by Jimmy John’s. In the case of the White House, it should be someone not part of the Secret Service. (I would argue not even part of the government, but that’s asking a lot, so just have the FBI or the CIA do it.)
Heck, they don’t even have to be all that good. Intruders almost always target low-hanging fruit. There’s just so darned much low-hangers that they don’t need to work all that hard to attain their goal.