1,000 More Businesses Hacked Like Target Was

August 22, 2014

Hey remember how Target got hacked and managed to give up a metric boatload of credit card info? Apparently the malware that did that has reportedly infected over one thousand businesses across the US. Including some UPS stores. So I guess you should go log in to your various credit card accounts and see if you, too, just maxed out your cards to buy power tools or Jack in the Box gift cards. Unless you really did, then good luck chop sawing that bacon ultimate cheeseburger.

The main vector for this attack is to hit poorly configured remote access software on the POS computers at the business. This software is a boon when a business needs help but tech support is a ways away. However, if it’s not setup properly, it’s relatively straightforward for someone to try to brute force their way in. And once the thief has access, they can install software that captures credit card data during transaction and sends it off to be sold to the highest bidder.

There are some ways to mitigate these issues, or eliminate them. I’ll list them out in terms of most to least brutal:

1. Don’t take cards anymore: If you want to be hack free, just stop taking and processing cards. This is probably the easiest way to eliminate the vulnerability, but it’s also the easiest way to lose a ton of business. I’ve seen it work in tiny shops, usually places where people wouldn’t want to use their cards anyway. Most of the time it’s funky night clubs or tackle shops. This is a remarkably draconian way to protect yourself. But it’s an option. It’s not one I recommend at all.
2. Switch to a standalone terminal: This separates your payment processing from your POS system, all but eliminating the possibility of malware getting installed that can scrape credit card data. Unfortunately, this also means you go through the sale on your POS system, then go through a separate path to enter in payment information. You can also get errors, like if someone types in a charge of $21.15 on the terminal instead of $12.15. It’s not something that’ll happen often, but something to concern yourself with.
3. Lock down your POS System: The system should be locked down before you even receive it. We do that with the systems we ship out; the firewall is setup during configuration, and we don’t install remote access anything on them. If your POS system provider has installed remote access software, call them up like right now and ask them how secure it is. I bet they’ll tell you it’s super secure. Then have them make it more secure. Or make it even more secure by uninstalling it.
4. Switch to encrypted card reading: Most POS and card processing software should support this by now, where the credit card data is encrypted by the card reader before it’s even sent to your computer. This doesn’t make you completely safe; if you have the malware on your system the thieves still end up with a big pile of data that *could* be turned into credit card info with enough work. But it’s super tough to get the encryption key, and it’s probably tough to brute force it. So it does slow down the process, and sometimes that’s all you need.

Three and four are pretty close in terms of easiness, I’d recommend doing both really. Definitely do three. That’s a great one. There’s no reason any third party company you work with should have unfettered access to your system. Even if you have to click a “yes I need help” button to initiate the connection, having the software on there is just opening you up to a world of hurt. When we help customers remotely, they have to log in to a service online, no software is installed on their computer at all. And when we’re done, there’s no way for us to reconnect. As it should be.

As for encrypted card reading, if your credit card processing company allows for encrypted card reading, and your software supports it, GO FOR IT. Seriously. The encrypted card readers are cheap, and sometimes the card processor will give you one for free. It limits your surface area of vulnerability somewhat, which helps them on insurance fees, I’d imagine.

Credit card security is vital. So vital that card processors are going to transition to the more secure Chip & PIN method in the next year or so. In that instance, you can’t run the card unless you physically have the original card. I didn’t put it in the list of options since not everyone has a Chip & PIN card yet.