I can only imagine: You’ve spent years studying the culinary arts, slaved as a cook in other restaurants and finally achieved Sous Chef stripes; then, convinced family members to give you the working capital to open your own establishment. The reviews have been kind and after a full-year, you’re turning the tables each night. … In the blink of an eye, the dream evaporates. Your bank just called to inform you that your restaurant and merchant account has been identified as a common point-of-purchase in a cardholder data compromise. But you feel this must be someone else’s issue. You originally leased the restaurant management and point-of-sale system from a local IT company. “Surely, they’re responsible for my restaurant’s safety.”
This common story is replayed every month or so in the cases we get. The attacks are not just of large chains or massive resorts. They experience problems too. The sad fact is that a lot of small, mom-and-pop retail outlets and restaurants are attacked and compromised every month.
“Why me?” I hear with each of these cases.
For the bad-actors, it’s a game of numbers. The more sites they attack; the more data they steal; the greater the spoils or their efforts.
In a recent case, where we examined a small restaurant POS system, the bad-actors actually activated the local security controls so that they could keep other attackers out of the system they compromised.
There are several common characteristics about the systems and technologies used in small retail and restaurant businesses.
- The restaurant environment is split between front-end terminals and printers and a back-of-the-house (BoH) server.
- A small SOHO or home router is used to link the various devices with the BoH, and the connection to the Internet is either based on cable-TV or a light-weight ADSL connection.
- The ADSL/cable router performs some filtering by default to try to protect the restaurant network.
- A local business provides IT support. These are value-added-resellers of the restaurant system and are small companies usually working in a specific city or region.
Given these characteristics, what is the opportunity for abuse and why are they attacked?
Let be note that the environment and the connections in and of themselves can be suitably secured. Further, the issue of the size of the local IT support company is really irrelevant. The prime issue is in implementation and deployment of the environment. As a chef, would you order used grease for your deep-fryer? Is that a hardware problem or some other problem?
Well, that’s the same situation in these small establishments. All too often, the IT company installs the equipment and uses a variety of remote-access tools to give themselves the ability to provide remote support. They may or may not keep the systems and devices patched. But, worse, the IT company frequently use simple passwords and shared accounts to access all of their customers. This means that once a bad-actor figures out how to gain access to one restaurant in a region, they get access to a whole bunch of sites.
The second most exploited vulnerability is frequently caused by the Chef or restaurant staff themselves. Sometimes I think that staff in small establishments just can’t keep their hands off the BoH server. They see it as a computer that just sits in the back room. The next thing they do is log-in to the server, open a browser, and start reading reviews or posting on social media or reading email. Invariably, the fall victim to a simple phishing attack, and the bad-actors are in.
Mechanics of the attack
Most of the attacks are automated and search for weaknesses in passwords or on device communications. Think of them as automated-scanners that just search the network to find common weaknesses. For that matter, a scanner may have snagged the credentials from a neighboring restaurant, and they got into your establishment because the IT company is the same and that IT-guy uses the same user-name and password to remotely access your restaurant.
The majority of the attacks are automated and very simple. Why try hard to break into a target when there is an abundance of weak targets out there. The answer as to “why me?” is most frequently — because you were selected at random and just won a lottery… Not, the Lottery. A lottery performed by a scanner.
How can you protect your restaurant or small retail business?
The official answer would be that you should be compliant with the PCI Data Security Standard — yes, all 428 individual requirements. That said, there are some basic things that can reduce the risk of being in the lottery.
- When you hire the IT company, make it very clear that they have to install some strong security controls and must never reuse any passwords or credentials.
- Make certain you IT company patches the system; and, you should check with them each month to make certain they did the job.
- Don’t re-use the BoH server for some other function. For that matter, don’t connect anything to the network that runs your restaurant. Get a separate connection from your phone company or cable company that you can use for a laptop or mobile device.
- Have the IT company limit access on the local, in-store network to static IP addresses ONLY! (We tech folks say, NO DHCP or dynamic wireless stuff). If you use wireless at the table, do it with remote EMV dip terminals only.
- Ask your bank or processor if they support PCI P2PE (point to point encryption). Although this locks you into that bank, it provides strong protection against common attacks on credit cards.
About the author
Tom Arnold (CISSP, ISSMP, CFS, CISA , GCFE-Gold, GNFA, PCI/PA QSA, PCI 3DS QSA, PCI ASV, Visa card production SA, Visa PIN SA, PCI PFI) is Vice President, Head of Forensics at NCC Group. He specializes in internal and external security assessments related to US and international standards. He leverages his payments background to evaluate and design security controls and secure systems that accept a variety of traditional and emerging consumer payment technologies. Among his clients are trans-global payment processors; over-the-air and traditional card production/ personalization companies; large multi-national retailers; consumer financial institutions; and global payment card brands. Prior to NCC Group, he served as VP of Product Development and Chief Software Architect for the Merchant Services Division of InfoSpace, Inc. Prior to that, he was the Chief Technical Officer for CyberSource Corporation, where he designed and deployed the full suite of Internet Commerce Services for the Company. In 1999, Arnold testified before the US Senate, Committee on Banking on the security and technology impact of the proposed Export Administration Act of 1999. Since that time, he has been consulted by numerous regulatory agencies including the Department of Commerce, Department of Treasury, Department of Justice and World Trade Organization, on topics of Internet commerce, digital rights management, identity theft, fraud, consumer protection and consumer privacy.