Thursday, February 23, 2012

Retail Crime of the Future - Served with a Drink and Chips

By Amy Hanson, One Step Retail Solutions

News broke late last year about a “retail crime of the future”. Dating back to at least 2008, a small group of Romanian hackers have allegedly stolen credit card information through the POS systems of hundreds of small American businesses, adding up to more than 3 million dollars in fraudulent charges. The investigation is still pending, but the most serious attack was targeted at Subway franchises with at least 150 of their locations reportedly compromised. The 4 suspects are in custody, per the most recent reports.

The method of attack appears to be targeting certain POS “holes” through an essentially wide-open back door; a Trojan virus was then installed to give them ongoing easy access. As per the PCI Security Standards Council, those who process credit and debt payments must have a two-factor authentication for remote access to a POS system. Not having this security measure in place is where these particular businesses and franchises appear to have gone wrong.

In this digital age it is vital that retailers protect their customers by being fully PCI compliant and establishing layered security measures. PCI goals include “Build and Maintain a Secure Network” and “Implement Strong Access Control Measures” with some of the exact PCI requirements reading as follows:

“1. Install and maintain a firewall configuration to protect cardholder data…'
“10. Track and monitor all access to network resources and cardholder data.”

Did you know that reports show 56% of U.S. small businesses have experienced data breaches and 33% of all data breaches were directed at businesses with 100 employees or fewer? “The Subway credit card hack is unfortunately news that may happen with greater frequency.” says a FindLaw article about the recent 2008 to May 2011 hacks.

We highly recommend a layered approach, including installing a Sonic Wall Firewall, which offers a powerful security platform. SonicWall provides integrated anti-virus and anti-spyware, which is being updated every 5 minutes, thus providing real-time protection against a wide array of threats.

When you buy a SonicWall from One Step Retail, we configure it to be fully PCI Compliant. You also get:
• A business class device
• 3G failover, so if your Internet ever goes down and you have a 3G wireless adapter attached to the firewall then your internet will stay up.
• Content control to prevent employees from wasting time on sites like, You Tube and Facebook, etc.
• You would also be able to provide free Wi-Fi to your shoppers and secure wireless zone for mobile applications and devices.
Deep packet inspection of the entire content of information coming into the business via the Internet instead of just header or title.

"I don't know if Subway had unpatched vulnerabilities on its POS systems or what. But whatever merchants have to do, yikes, please do it." - Lisa Vaas of Sophos, antivirus software developer.

There is more to know about Firewalls than you think: Get a free Security Consult:
http://onestepretail.com/Products/SecuritySuite/

Sources:
www.pcisecuritystandards.org
http://arstechnica.com/business/news/2011/12/how-hackers-gave-subway-a-30-million-lesson-in-point-of-sale-security.ars
http://www.tgdaily.com/security-features/60147-arrests-made-over-subway-hack