Recently in Lessons Learned Category

Radiant being sued not over it's Aloha system which is PCI-validated but over the use of PC Anywhere.

Restaurants Sue Vendor for Unsecured Card Processor

creditcardSeven restaurants have sued the maker of a bank card-processing system for failing to secure the product from a Romanian hacker who breached their systems.

The restaurants, located in Louisiana and Mississippi, filed a class-action suitagainst Georgia-based Radiant Systems for producing a point-of-sale (POS) system that they say was not compliant with payment card industry security standards and resulted in an undetermined number of customers having their debit and credit card numbers stolen.

The suit alleges that the system stored all the data embedded on the bank card magnetic stripe after the transaction was completed -- a violation of industry security standards that made it a high-risk target for hackers.

Also named in the suit is Computer World, a Louisiana-based retailer, which sold and maintained Radiant'sAloha POS system.

According to plaintiffs, Computer World's technicians allegedly installed the remote-access program PCAnywhere on the systems to allow its technicians to fix technical problems from off-site. The only problem is, the company failed to secure the program. The suit alleges that the system was not up to date with software patches, and the PCAnywhere remote log-in and password that technicians used to access the POS systems was the same at every one of the 200 Louisiana locations where the system was installed. According to one of the plaintiffs who spoke with Threat Level, the default login was "administrator" and the password was "computer."

As a result, a hacker, believed to be based in Romania, accessed the systems of at least 19 businesses through the PCAnywhere software, and possibly others plaintiffs say. Once inside, the hacker installed malware to grab card data as it was swiped and send it to an e-mail address in Romania. The hack follows a wave of similar attacks that targeted point-of-sale systems at other national retailers and restaurant chains between 2005 and early 2009, including Dave & Busters restaurants, Hannaford Brothers, TJX, Wal-Mart and others.

The suit was filed in March in the U.S. District Court in Louisiana, but the court ruled only last week that the seven plaintiffs could proceed as a group with their case, opening the way for additional plaintiffs to join the litigation.

"We want other restaurants nationally to be aware of the hidden dangers posed by these technology companies and the unfair penalties imposed by the credit card companies," said plaintiffs attorney Shiel Gallagher in a press release. "These huge companies shouldn't have the power to destroy these restaurants."

The plaintiffs include Crawfish Town USA, Don's Seafood & Steak House, Jone's Creek Cafe, Mel's Diner, Picante's Mexican Restaurant, Sammy's Grill and a Best Western. Two other restaurants have also sued Radiant Systems and Computer World separately.

The restaurants are seeking millions in damages to recover their costs from the breach. These include fines levied against them from Visa and other credit card companies for failing to be PCI-compliant, the cost of forensic audits to uncover the source of the breach, chargebacks to cover fraudulent charges made on customer accounts and reimbursements to card providers who had to issue new customer cards.

According to the plaintiffs' court filing (.pdf), Radiant and Computer World were allegedly warned by Visa in April 2007 that the Aloha system, along with POS systems made by five other vendors, were non-compliant because they stored card data. Visa also sent out a bulletin in November 2006 warning that one of the most frequent vectors for hackers to penetrate POS systems was through poorly configured or unpatched remote-access software (.pdf) and default passwords. Nonetheless, the restaurants say, Radiant and Computer World sold them a product that was neither PCI-compliant nor secured against a known attack.

PCI compliance involves 12 requirements that include: installing and maintaining a firewall, changing default vendor passwords, encryption of transaction data while it's being processed and updated security patches and anti-virus definitions, among other things. Businesses that accept bank card payments from customers are contractually required by the payment card industry to have PCI-compliant architectures and to use only products that are PCI-compliant.

Charles Hoff, general counsel for the Georgia Restaurant Association and one of the plaintiffs' attorneys, says these kinds of security disputes are becoming more common but rarely garner public attention because vendors tend to settle rather than risk exposure through a court case. He said this suit was filed only after Radiant refused to take responsibility for the breaches.

"Radiant ... took a very arrogant attitude about it," he told Threat Level. "I've had other POS vendors who felt they should be accountable, and the end result was that they knew they needed to do the right thing. Radiant I don't think thought we were serious. Radiant's website gives customers the greatest assurance that when it comes to their resellers, they monitor and make sure they're scrutinized and compliant. It really would give you all the confidence in the world if it was actually done."

Radiant has declined to comment on the details of the suit.

"What we can say is that Radiant takes data security very seriously and that our products are among the most secure in the industry," Paul Langenbahn, president of Radiant's hospitality division, told the Atlanta Journal Constitution. "We believe the allegations against Radiant are without merit, and we intend to vigorously defend ourselves."

Keith Bond, owner of Mel's Diner in Broussard, Louisiana, told Threat Level that he purchased his Aloha system for $20,000 and installed it around late November 2007. Computer World, he says, convinced him that the system needed to be connected to the internet for faster transaction processing, as opposed to the dial-up modem connection he had been using for processing.

In April 2008, just a few months after installing the system, one of his employees called to tell him that the mouse cursor on one of three Aloha terminals he'd bought seemed to be moving on its own and that employees were unable to take control of it.

After contacting Computer World technicians, the restaurant was told to disconnect its system from the internet. A service tech appeared the next day to replace the hard drive, but didn't disclose the nature of the problem or indicate that an intruder had breached the system. Bond learned only later that a keystroke logger had been installed on all three of his Aloha terminals, and that the intruder had been siphoning card numbers for about three weeks.

He discovered this only after Visa and Mastercard contacted him in May to tell him his system had been breached. Bond, whose 24-hour diner processes about 60 to 70 card transactions a day, says 669 card numbers were stolen during the three-week period the hacker was in his system.

"If they had accessed the server, they would have got thousands of card numbers," Bond said.

The credit card companies forced him to hire a forensic team to investigate the breach, which cost him $19,000. Visa then fined his business $5,000 after the forensic investigators found that the Radiant Aloha system was non-compliant. MasterCard levied a $100,000 fine against his restaurant, but opted to waive the fine, due to the circumstances.

Then the chargebacks started arriving. Bond says the thieves racked up $30,000 on 19 card accounts. He had to pay $20,000 and managed to get the remainder dropped. In total, the breach has cost him about $50,000, and he says his fellow plaintiffs have borne similar costs.

Bond said Radiant and Computer World were unresponsive.

"Radiant just basically hung us out to dry," he says. "It's quite obvious to me that they're at fault.... When you buy a system for $20,000, you feel like you're getting a state-of-the-art sytem. Then three to four months after I bought the system, I'm hacked into."

Image courtesy California State Controller's Office

Recommended Commentary Link

Basic oversights create high-tech havoc

Sometimes in IT classic "d'oh!" moments sneak up on you. This particular situation occurred sometime in the mid-1980s, back when the Web was in its infancy or maybe even before it was conceived.

Posted by Anonymous on January 13, 2009 03:00 AM on InfoWorld

I worked for a large corporation on a new project that involved shopping kiosks that one would use for purchasing goods from a number of recognized merchants -- a project considered quite high-tech at the time. The terminals featured a touchscreen, keyboard, credit card reader, and receipt printer for the transaction. In addition, it had lots of color images of products and an interactive touchscreen interface to make shopping for items on a computer more like shopping for real. We placed terminals in shopping malls and areas where there would be lots of foot traffic. In addition, we placed a terminal on the floor in our office so that we could use the system ourselves.

As part of the pilot, we distributed about 40 of these terminals around the local metropolitan area to introduce the public to the kiosk's concept. I was a systems programmer and was responsible for the communications code that enabled price changes, sales information, and other data to be transferred to and from the mainframe computer. The protocol we established was that the kiosk would collect sales during the day, and at a configured time it would place a call (no TCP/IP) via an internal modem to the datacenter and upload the day's sales. Next, it would download from the host any price changes, identities of items to be removed, and so on. Finally, it would obtain from the host the next time it should dial in for data exchange and the phone number for it to call.

One day, we had to make a change to the communication software so we sent a programmer to the datacenter to install the change and test it. Later that afternoon, this programmer and I were hanging around the office of the CICS programmer and someone walked up and told us that the kiosk on our floor was constantly dialing. She was a project member and was able to obtain the phone number it was attempting to dial. When she told us what the phone number was, the CICS programmer reacted.

"That's my realtor's number."

We let that sink in for a few seconds. Then he told us that he had used that phone number for every data entry field that required a phone number on the test CICS system. (He was in the process of buying a house at the time and I guess that's the number that was very much on his mind.) When the CICS programmer shared that information, the programmer who earlier had installed the change to the communications code reacted.

"I forgot to switch back to production after testing my code at the datacenter!"

That's when we all realized why the kiosk in our office was constantly dialing: When the kiosk began its communications sequence after the systems programmer ran his test, all the sales information went to the test environment, and more importantly, it was instructed to dial the CICS programmer's realtor's office for the next exchange -- which was set at 4:00 that afternoon. We also realized this: The kiosks were programmed to retry every minute after a failed communications attempt. So every minute it would dial a well-known real-estate office, listen for a modem tone, and when none occurred it would hang up. Then it dawned on us that the 40 other terminals around the area (some up to 2 hours away by car) were doing the same thing. The only way to correct it was to reset the phone number on the kiosks themselves, because once the kiosks had the phone number changed by the process in place, they were effectively cut off. They no longer knew the datacenter numbers, they only knew a bogus number (the real estate office) which wasn't giving them any useful information back.

We called the realtor's office to let them know what was going on, then we resolved the problem by dividing up the area among the project members, driving out, and resetting each machine. The realtor kept staff at work until late that night, answering the calls. The next day we used the kiosk on our floor to send flowers and a note of apology to the realtor's office. I guess they decided they really wanted the sale on the CICS programmer's home, because the realtor didn't pursue any action.

Eventually the project died and the project team was first in line for the fire sale of all the unsold merchandise we had in a local warehouse. I still have the set of screwdrivers and some wood tools from that sale.

Related Ring Sites:
  GoKIS  |  |  |   Visi Kiosk site  |   KIOSK  |  |
Resource Sites:
  Elo TouchSystems  |   Acire Inc.  |   Nextep  |   TIO Networks  |   Olea  |   Self-Service Networks  |   Meridian Kiosks  |   Provisio  |   Kioware  |
  Selling Machine Partners  |   Source Technologies  |   Seepoint  |   5Point  |   Nanonation  |   Netkey  |   KioskCom  |   Summit Research  |   NCR  |