The "RISKY BUSINESS" Blog

It is a common misconception that being compliant with a relevant standard (e.g., HIPAA or PCI) means that the associated data is “secure”, unfortunately, that is often a long way from the truth. We were involved in an interesting project this week that illustrates this all too well, where a “PCI compliant” customer, utilizing a “PCI certified” Point of Sale system (POS), was compromised (i.e., credit card numbers were stolen). Of greater concern to our client base as a whole, we determined that the POS vendor (one of the major players in the space), utilizes a common account name and password across all of their systems for remote support. Should you be using the same POS system – you may be vulnerable.

VISA notified our client (a specialty retailer) that they believed credit card skimming was occurring at one of their locations. This was determined by a clever anti-identity theft application that determined that three cloned cards used in Houston last week were all determined to have been legitimately used at this retail location in Boston approximately three months prior.

We got a call from their audit department after their initial investigation determined that different clerks had handled each of the transactions in question, and that collusion looked highly unlikely. They asked us to determine if their POS system had been compromised. The next morning one of our Security Consultants was on-site assessing the security of their POS and their network. He determined the following:

• The POS system was appropriately patched/configured and was not directly vulnerable to a local LAN based attack.
• The POS system was mistakenly left fully exposed to the internet. The client’s intention was to only expose the system to the IP address block owned by the POS vendor for remote support, however, the firewall was mis-configured.
• There were two successful logins to the machine that we were unable to trace beyond Norway.
• There were two successful logins to the machine that we were unable to trace beyond Czechoslovakia.
• There were ten successful logins to the machine that we were unable to trace beyond Chile.
• All remote logins were to a user account that is a member of the local administrators group that is used by the POS vendor for remote support.

Once we determined that the remote logins were not tied to trouble tickets, and the IP’s were not owned by the POS vendor, we disconnected the machine from the network and notified the customer. A conference call with the POS vendor left me exceptionally concerned. During the call the POS vendor indicated that the compromised account/password combination was used for remote maintenance of all of their POS systems. Further, we were advised that if we changed the password, that the POS system could no longer be maintained remotely.

It is remarkable to me that thousands of POS’s, transiting millions of credit card transactions per day, all share the same user name and password for an administrative account that is used for remote support!

When I expressed my concern the vendor pointed out that their system was “PCI certified” and pointed us to the attestation on their site. On further research we located a document on their site that indicated that the system was not PCI compliant UNLESS you changed the password for the common administrative account! Amazingly, even having been referred to Help Desk management – we were explicitly told that changing the password would prevent the system from being maintained.

We have handed over the investigation to local law enforcement, the FBI, and Postal police.

If your running a POS system, take the time to validate the configuration, review privileged accounts, and change password for any vendor supplied accounts. I would also suggest that you review the security logs to ensure that you can identify the legitimacy of all administrative level log-ins, especially those occurring from outside the LAN.