Hey remember how Target got hacked and managed to give up a metric boatload of credit card info? Apparently the malware that did that has reportedly infected over one thousand businesses across the US. Including some UPS stores. So I guess you should go log in to your various credit card accounts and see if you, too, just maxed out your cards to buy power tools or Jack in the Box gift cards. Unless you really did, then good luck chop sawing that bacon ultimate cheeseburger.

The main vector for this attack is to hit poorly configured remote access software on the POS computers at the business. This software is a boon when a business needs help but tech support is a ways away. However, if it’s not setup properly, it’s relatively straightforward for someone to try to brute force their way in. And once the thief has access, they can install software that captures credit card data during transaction and sends it off to be sold to the highest bidder.

There are some ways to mitigate these issues, or eliminate them. I’ll list them out in terms of most to least brutal:

  1. Don’t take cards anymore: If you want to be hack free, just stop taking and processing cards. This is probably the easiest way to eliminate the vulnerability, but it’s also the easiest way to lose a ton of business. I’ve seen it work in tiny shops, usually places where people wouldn’t want to use their cards anyway. Most of the time it’s funky night clubs or tackle shops. This is a remarkably draconian way to protect yourself. But it’s an option. It’s not one I recommend at all.
  2. Switch to a standalone terminal: This separates your payment processing from your POS system, all but eliminating the possibility of malware getting installed that can scrape credit card data. Unfortunately, this also means you go through the sale on your POS system, then go through a separate path to enter in payment information. You can also get errors, like if someone types in a charge of $21.15 on the terminal instead of $12.15. It’s not something that’ll happen often, but something to concern yourself with.
  3. Lock down your POS System: The system should be locked down before you even receive it. We do that with the systems we ship out; the firewall is setup during configuration, and we don’t install remote access anything on them. If your POS system provider has installed remote access software, call them up like right now and ask them how secure it is. I bet they’ll tell you it’s super secure. Then have them make it more secure. Or make it even more secure by uninstalling it.
  4. Switch to encrypted card reading: Most POS and card processing software should support this by now, where the credit card data is encrypted by the card reader before it’s even sent to your computer. This doesn’t make you completely safe; if you have the malware on your system the thieves still end up with a big pile of data that *could* be turned into credit card info with enough work. But it’s super tough to get the encryption key, and it’s probably tough to brute force it. So it does slow down the process, and sometimes that’s all you need.

Three and four are pretty close in terms of easiness, I’d recommend doing both really. Definitely do three. That’s a great one. There’s no reason any third party company you work with should have unfettered access to your system. Even if you have to click a “yes I need help” button to initiate the connection, having the software on there is just opening you up to a world of hurt. When we help customers remotely, they have to log in to a service online, no software is installed on their computer at all. And when we’re done, there’s no way for us to reconnect. As it should be.

As for encrypted card reading, if your credit card processing company allows for encrypted card reading, and your software supports it, GO FOR IT. Seriously. The encrypted card readers are cheap, and sometimes the card processor will give you one for free. It limits your surface area of vulnerability somewhat, which helps them on insurance fees, I’d imagine.

Credit card security is vital. So vital that card processors are going to transition to the more secure Chip & PIN method in the next year or so. In that instance, you can’t run the card unless you physically have the original card. I didn’t put it in the list of options since not everyone has a Chip & PIN card yet.


The International Business Times has an interesting article about an SAP Executive who was arrested for replacing the barcodes on Lego kits with barcodes for cheaper products. What I find interesting about it is that it’s one of the few times I remember where POS hardware is used for fraud that isn’t fake IDs or stolen credit cards.

Thomas Langenbach, the perpetrator of the crime, went through some pretty clever steps to get steep discounts on his Legos. Yes. I call it Legos. Anyway, he would scan the barcode off a cheaper product, create a new barcode label with that content, and would slap it onto more expensive stuff. So in one example, he bought the $270 Millennium Falcon Lego set for like $49. Personally, I would love to get the Millennium Falcon Lego set for $49. However, he’d then flip the products on Ebay, and ended up netting about $30,000 before finally getting caught.

Granted, he put extra steps into his crime, since UPC data for products is usually available online. But it does point out some of the weak points that can cause product loss at your business. For a larger retailer, such as Target, surveillance systems are a de facto standard and was the main way they were able to catch him in the act. However, this could have been caught even sooner by an attentive checker realizing that very obviously expensive product was just rung up at 50 dollars. I don’t know how much every product on our site is (I think I’m at 90%), but I’d still know something was amiss if one of ourPOS systems was sold for 150 bucks.

It is good to know the guy was caught, though it’s a little unsettling that an executive at SAP- a position I’d assume pays well- would feel the need to commit thievery for an extra 30 grand. The big lesson though is to just keep an eye on your products, or stay vigilant when you’re ringing customers up.

%d bloggers like this: