POS Data Breach Teaches Valuable Lessons

By Abigail A. Lorden, Editor-in-Chief
As we get ready to put this issue of HT to bed, the tech blogs are lighting up with dialogue about the Romanians who in mid-September plead guilty to participating in a hacker ring that stole credit card data from hundreds of U.S. merchants, including Subway restaurants. From 2009 through 2011, the hackers stole data from more than 146,000 cards, amounting to $10 million-plus in losses.

The hackers gained access by first scanning the Internet to identify U.S.-based POS systems with certain remote desktop software installed, and then used the remote applications to log into the targeted POS, crack passwords, and snag credit card data via keystroke loggers or “sniffers.” Remote desktop software is often used by small businesses to enable tech support on their systems from off-site, and often third-party, providers.

Tech best practices tell us remote access is a vulnerable point of entry. We also know that passwords should be changed regularly, and never to use default passwords. All too often, however, merchants’ systems are left exposed by such practices. PCI requirements are complex and U.S. payment technology is inherently vulnerable. Adding even more complexity, franchised environments are particularly susceptible when owners disregard corporate best practices.

This example reminds us not only to change our passwords, but that due diligence is a necessary component to security. In a time when competitive advantage is built by compiling relevant consumer information, and many merchants are readily embracing the opportunity to leverage personal data — including but not limited to a consumer’s preferred method of payment —
diligence is more important than ever.