Archive for December, 2011

Why Implementing End-to-End PCI Security is a Good Idea: The Subway Franchise Caper

Three lessons jump out at me from this story:

  1. If you are dealing with credit card data, actually getting the PCI done end-to-end seems like a very good idea.  Don’t forget the field offices, Jarad!
  2. No remote access software tools anywhere near servers that house credit card data (part of PCI)
  3. Using easy-to-guess passwords is still the #1 dumb thing to do in data security, and one of the easiest to fix (also in PCI, and see my recent post here as well).

Check out the excerpted story from Gallagher below, and read it in full at:



How hackers gave Subway a $3 million lesson in point-of-sale security

By Sean Gallagher | Ars Technica

… In a scheme dating back at least to 2008, a band of Romanian hackers is alleged to have stolen payment card data from the point-of-sale (POS) systems of hundreds of small businesses, including more than 150 Subway restaurant franchises and at least 50 other small retailers. And those retailers made it possible by practically leaving their cash drawers open to the Internet, letting the hackers ring up over $3 million in fraudulent charges.

The tools used in the crime are widely available on the Internet for anyone willing to take the risks, and small businesses’ generally poor security practices and reliance on common, inexpensive software packages to run their operations makes them easy pickings for large-scale scams like this one, Marcus said.

… the systems attacked were discovered through a targeted port scan of blocks of IP addresses to detect systems with a specific type of remote desktop access software running on them. The software provided a ready-made back door for the hackers to gain entry to the POS systems—which is why remote access software is banned from systems that handle payment cards by the PCI Security Standards Council, which governs credit card and debit card payment systems security.

“… the hackers gained access to the remote desktop software by guessing or “cracking” the passwords they were configured with. Fellmann isn’t surprised, based on his experience with retailers. Weak passwords, such as “password,” are one of the most common things he discovers during POS penetration testing, he said. “Some people, you tell them what’s required, and they’d rather not do it. They had the tools, and could have easily blocked [the attack]. If they were using a validated POS application, the vendor should provide an implementation plan, which would have included making sure you have a firewall in place. ” But, he said, “these people weren’t thinking about point of sale security—they were just thinking about making a sandwich…”

Read the full story here.


Tags: , , ,

Some really poor password choices…

For better or worse, passwords are the basis of much of the security we use in the cloud.

SplashData put out there “worst password of 2011” report, based on a blind review of their database of common passwords.  If you use any of these on any accounts you wish to protect, clearly a good idea to think about changing them soon.

  • password
  • 123456
  • 12345678
  • qwerty
  • abc123
  • monkey
  • 1234567
  • letmein
  • trustno1
  • dragon
  • baseball
  • 111111
  • iloveyou
  • master
  • sunshine
  • ashley
  • bailey
  • passw0rd
  • shadow
  • 123123
  • 654321
  • superman
  • qazwsx
  • michael
  • football

A few simple guidelines for good passwords, from around the web:

  • Use at least eight characters
  • Use a random mixture of characters, upper and lower case, numbers, punctuation, spaces and symbols.
  • Don’t use a word found in any dictionary, English or foreign.


Stuff that just doesn’t work well, at least not anymore, because common hacker tools know them well:

  • Don’t merely add a single digit or symbol before or after a word. e.g. “password1″
  • Don’t double a single word. e.g. “kittykitty”
  • Don’t just reverse a word. e.g. “drowssap”, or just remove the vowels. e.g. “psswrd”
  • Avoid Keyboard sequences that can easily be repeated. e.g. “qwerty”,”zxcvf” etc.
  • Don’t garble letters into numbers as the only thing between you and the dictionary, e.g. converting e to 3, L or i to 1, o to 0. as in “z3r0-10v3″

Read more about the Splashdata report in full here:

Tags: , , ,