How to Spot a POS Vulnerability Before It Becomes a Security Breach

By Vladik Rikhter


If you’re a restaurant operator and you haven’t heard of the blog Krebs On Security, definitely check it out. Former Washington Post journalist and self-taught computer security expert Brian Krebs is often the first to break major news about restaurant security breaches.

For instance, in February, Krebs got Arby’s to acknowledge a data breach at its fast-food restaurants. Frankly, the cause is enough to lose your lunch: malware on payment systems once again!In a 2015 interview with Eater, Krebs warned that any restaurant company that uses point-of-sale (POS) systems is vulnerable to attack. POS systems are often set up to be accessed remotely, making them vulnerable to hackers.

As identified by Krebs, other security vulnerabilities with POS systems include enabling the same password for each system and running on outdated operating systems that don’t offer security updates and are simpler to hack. It’s no coincidence that chain restaurants are being hacked with greater frequency; often, several restaurants are linked to one internal system.Now you might be asking (because I definitely did): how a guy like Krebs breaks a story. As it turns out, hacked credit cards are often sold on the black market, usually web forums, and when there’s a major breach, there’s an influx. Krebs then reaches out to banks to see if they’re seeing or hearing anything suspicious. If there’s a pattern, Krebs then reaches out to the suspected chain to confirm whether or not they had a breach. Voila! That’s what led him to Arby’s in February. The company confirmed that it had recently remediated a breach, but had not publicly revealed the incident at the request of the FBI.

Arby’s confirmed that malware was placed on payment systems inside corporate stores, but franchised locations were not affected. In other words, the Arby’s breach was evidence of the vulnerabilities Krebs warned about two years ago!

Learning the Lesson

Here at Zenput, we try to provide our customers with the mobile tools to communicate better about their POS audits as well as possible breaches. We’ve discussed measures to prevent ATM skimming, and we offer a mobile form for audits of payment terminals in stores or at the pump. See below screenshot for an example:

POS audit on mobile

But in the case of Arby’s, they were a victim of a malware attack through their central system. Of course, we’re not privy to the inner workings of Arby’s security system, but you have to hope that they regularly ran updates and that software was updated. Keeping systems updated and making sure employees understand the POS terminal and its functionalities are critical tasks for any restaurant operator. When you create a procedure to protect against physical POS breaches, you can also create a checklist for POS employee training. Security is a team effort and one that’s executed from the top down, so make sure your team is in compliance with best practices. Also make sure they know the right steps to take if a breach is detected. That kind of preparedness can go a long way when recovering from an attack. Arby’s now faces class-action litigation with strong accusations: “The Arby’s Data Breach was the inevitable result of Arby’s inadequate data security measures,” says a credit union suing on behalf of its customers. Arby’s denies those allegations and plans to offer a vigorous defense.

But one company’s struggles are a reminder that any multi-unit restaurant operator is at risk, and it begs—or rather, demands—the question: are you up to date on your security measures?

Topics: Business Operations, C-store, ATM skimming, gas stations

Payment Skimming: An Old Battle in Need of a New Solution

By David Mostovoy

 Gas pump payment pic.jpg

For as long as people have had bank cards, thieves have targeted the information they hold. Even though old magnetic strips are gradually being phased out for the moresecure EMV chip card technology, attacks on ATM machines and gas pumps are not subsiding. In fact, the attacks are becoming more frequent and sophisticated.

The U.S. Secret Service Criminal Investigation Division recently issued a warning about “skimmers” at gas pumps. Skimmers are criminals who install devices at gas pumps to gain access to a customer’s bank and credit information. They typically break into a gas pump and install a hidden device that steals or skims credit card information off of the magnetic strip. They can even use Bluetooth to immediately send out stolen information.

Unfortunately, just looking at a payment terminal is usually not enough to tell whether it has a skimming device in or on it. Authorities and companies are now training gas station operators to detect skimming devices. In these challenging times, this simple fact can’t be overstated: It’s crucial that convenience store and gas station operators stay ahead of the curve and audit their own payment terminals for skimming devices.

We get it. As an operator, you have enough regulatory issues to worry about, both inside and outside your store. But operators need to start thinking about this issue beyond any immediate inconvenience like staff training. Think instead of the damage to your brand if a skimming device is found at one of your stores. Regaining customers who lose trust in your ability to keep their financial information safe will be a tough, if not impossible, feat.

Preventing skimming attacks is your responsibility to your customers

In fact, the state of Arizona is taking a different approach to combat a spike in fuel skimming attacks over the past year. In what seems like an effort to get business owners to “get with the program” of preventative measures, the Arizona Department of Agriculture’s Weights and Measures Services Division now files a report that details whether fuel station owners who have had instances of skimming had observed industry best-practices leading up to the skimming events. The reports have revealed failures to install security cameras, tamper-proof security tape, and non-standard pump locks. In some of these incidents, thieves with master keys were able to unlock the pumps to freely install skimming devices.

There is simply no excuse for not changing the factory-default locks on pumps. Also, it’s something an audit of the pump and payment terminal would readily not

‘More Paperwork’ is No Longer a Valid Excuse

If you’re a gas station operator who is not routinely checking your payment terminals for skimming devices, you can no longer postpone such audits. In fact, you can build a custom audit form and distribute it easily, right to the mobile devices of your store managers. A platform like Zenput gives you the ability to track compliance among managers and follow up on a store-by-store basis. Better yet, Zenput’s real-time notifications will alert senior managers when a security threat is detected during an audit.

To learn more about how Zenput is used to check the security of ATMs, download the case on Welch ATM by clicking on the "Learn How" button to the right.

Topics: fraud, ATM skimming