Remote Access Vulnerabilities
by Joel Fusco @ http://www.secureconnect.com . December 21, 2009 . 2:05PM
Recently, a popular topic of conversation during my meetings with national brands has been around the recent lawsuit against Radiant/Aloha and Computer World for the recent breach of over 19 restaurants in the Louisiana and Mississippi area. See http://www.gokiosk.net/kiosk/2009/12/radiant-being-sued-by-restaurants-for-violating-pci-compliance-1.html.
In the Food Industry almost all Point of Sale (POS) systems have the need to access systems remotely for service/update purposes. Unfortunately, these same POS vendors and resellers have not paid much attention to the PCI Data Security Standard (DSS). Rather, the focus has traditionally been around the Payment Application Certification or PA-DSS, which primarily deals with means of encryption to send cardholder data over the internet. Going into 2010, this certification is mandatory.
This specific breach of Radiant’s system could have been prevented in so many ways. It is not for me to say who’s responsible, but rather point out what went wrong and provide actions steps on how to prevent this from ever occurring again.
The DSS is very specific about remote access and access control. Many of the requirements are dedicated to these specific areas and identify exactly what is REQUIRED.
Multi-factor Remote Access- This is a system that uses multiple factors is conjunction with each other in order to authenticate. Using more than one factor generally delivers a higher level of authentication assurance. Multi-factor authentication is typically a sign-on process where a person proves his or her identity with two of the three methods: “something you know”, “something you have” or “something you are”. You cannot use the same method twice.
Most remote access tools are not equipped to provide such means of authentication and rely on traditional user ID’s and passwords as mentioned in the article. Unfortunately, when common ID’s and passwords are shared it leads to mass vulnerabilities. It’s important for merchants and especially brands to monitor this access and be sure they are using a method of multi-factor access. An example of this would be when authentication is conducted on a user-basis, in which a person must enter an ID and password to receive a 5 digit random code which is then sent via email or SMS text to the user for final authentication. In addition, there is an option to have a phone call upon authentication which provides the code as well. Lastly, there are smartcards, tokens or keys that are needed for final authentication as well.
Using any of these methods certainly would have mitigated the risk of this breach from occurring.
Strong Access Control- Having the ability to assign each user their own account is key to assuring security while using remote access. Anyone having the access to a remote system is required to have their own account and multi-factor authentication. Equally important is the ability to properly administrate this access and have a complete reporting tool of when and which user is authenticated. The SecureConnect® tool for example, provides a visual dashboard of all users and their history. This is particularly important for forensic purposes as well in case a breach were to occur.
Beyond this, there were other issues internally regarding the storage of data within these POS systems, however none of it could have been accessed if the proper remote access technologies were implemented.
Again, it is not my position to say who is responsible in this particular case, however as a business owner and/or franchisor it’s important to work with all parties including the vendors to be sure the proper technologies are in place to prevent such a breach.
