Details revealed in court following the apprehension of two hackers who hit point-of-sale devices at 100 shops and retailers expose POS security vulnerabilities, Bank Info Security reports. The attacks pose an increasing concern to all of those involved in the payments industry.
The attacks compromised Internet-connected POS devices and systems operated by Subway and other merchants, affecting nearly 150,000 cards that have been linked to more than $10 million in fraud losses.
“This type of attack that affected Subway is exactly what everyone is worried about,” Gray Taylor, executive director of the Petroleum Convenience Alliance for Technology Standards (PCATS), told the news source. “You can be PCI compliant and have your devices PA-DSS [Payment Application Data Security Standard] approved. But if they leave networks open or default passwords in place, then they’re going to be breached.”
To help address those vulnerabilities, PCATS, the Coalition of Associations for Retail Data Security, and the National Restaurant Association are assisting merchants with its 8-Point Data Security Plan to mitigate risk. “At PCATS, we have developed a list of eight points for POS security,” Taylor said. “If Subway had these eight points, then it would not have been breached.”
Liz Garner, director of commerce and entrepreneurship at the NRA, said the association is working with PCATS and other organizations to help restaurants beef up security irrespective of their level of PCI compliance. “We’re trying to educate restaurateurs about security,” Garner told the news source. “They just need a simple guide that provides the very basics. PCI is too complex.”
Julian Dolan and Cezar Butu pleaded guilty to charges brought against them by the Department of Justice in 2011 for their involvement in the POS breach. In his court plea, Dolan said he remotely hacked POS systems where payment card data was electronically stored, remotely scanning the Internet to identify U.S.-based POS systems that were vulnerable to attack because of their software applications.
Taylor said the case highlights an alarming trend. “It’s basically backdoor jiggling – using bots to scan the web, looking for door knobs to jiggle,” Taylor said. “That’s basically how they got into Subway, and it’s happening everywhere today. Anyone, retailers included, that’s connected to the Internet has the same vulnerabilities.”
He added that while PCI is designed to protect card data, it has proven too complicated for small merchants. The 8-Point Data Security Plan is intended to help Level 4 merchants (those processing fewer than 1 million transactions per year, as defined by Visa) by addressing the most basic security features, such as firewalls and two-factor authentication for remote access to POS devices and systems. (NACS: www.nacsonline.com)