How to Spot a POS Vulnerability Before It Becomes a Security Breach

By Vladik Rikhter

Skimmer.jpg

If you’re a restaurant operator and you haven’t heard of the blog Krebs On Security, definitely check it out. Former Washington Post journalist and self-taught computer security expert Brian Krebs is often the first to break major news about restaurant security breaches.

For instance, in February, Krebs got Arby’s to acknowledge a data breach at its fast-food restaurants. Frankly, the cause is enough to lose your lunch: malware on payment systems once again!In a 2015 interview with Eater, Krebs warned that any restaurant company that uses point-of-sale (POS) systems is vulnerable to attack. POS systems are often set up to be accessed remotely, making them vulnerable to hackers.

As identified by Krebs, other security vulnerabilities with POS systems include enabling the same password for each system and running on outdated operating systems that don’t offer security updates and are simpler to hack. It’s no coincidence that chain restaurants are being hacked with greater frequency; often, several restaurants are linked to one internal system.Now you might be asking (because I definitely did): how a guy like Krebs breaks a story. As it turns out, hacked credit cards are often sold on the black market, usually web forums, and when there’s a major breach, there’s an influx. Krebs then reaches out to banks to see if they’re seeing or hearing anything suspicious. If there’s a pattern, Krebs then reaches out to the suspected chain to confirm whether or not they had a breach. Voila! That’s what led him to Arby’s in February. The company confirmed that it had recently remediated a breach, but had not publicly revealed the incident at the request of the FBI.

Arby’s confirmed that malware was placed on payment systems inside corporate stores, but franchised locations were not affected. In other words, the Arby’s breach was evidence of the vulnerabilities Krebs warned about two years ago!

Learning the Lesson

Here at Zenput, we try to provide our customers with the mobile tools to communicate better about their POS audits as well as possible breaches. We’ve discussed measures to prevent ATM skimming, and we offer a mobile form for audits of payment terminals in stores or at the pump. See below screenshot for an example:

POS audit on mobile

But in the case of Arby’s, they were a victim of a malware attack through their central system. Of course, we’re not privy to the inner workings of Arby’s security system, but you have to hope that they regularly ran updates and that software was updated. Keeping systems updated and making sure employees understand the POS terminal and its functionalities are critical tasks for any restaurant operator. When you create a procedure to protect against physical POS breaches, you can also create a checklist for POS employee training. Security is a team effort and one that’s executed from the top down, so make sure your team is in compliance with best practices. Also make sure they know the right steps to take if a breach is detected. That kind of preparedness can go a long way when recovering from an attack. Arby’s now faces class-action litigation with strong accusations: “The Arby’s Data Breach was the inevitable result of Arby’s inadequate data security measures,” says a credit union suing on behalf of its customers. Arby’s denies those allegations and plans to offer a vigorous defense.

But one company’s struggles are a reminder that any multi-unit restaurant operator is at risk, and it begs—or rather, demands—the question: are you up to date on your security measures?

Topics: Business Operations, C-store, ATM skimming, gas stations

How to Stand Out in a Gas Station Cluster

By Joe Skupinsky

Screen Shot 2017-03-01 at 1.54.15 PM.png(Image Source: Google Maps)

I always thought it was strange that there were three gas stations on a single corner down the street from my college—until I started learning more about the convenience and gas retail industry.

Around the time I saw this pattern, a game theorist in San Francisco noticed the same thing and attempted to get to the mathematical root. As Presh Talwalkar explains, this phenomenon is partially the result of population clusters, so a couple of thousand people driving to and from a college could warrant a cluster of gas stations.Here’s a brief explanation video:  

 

The basic reasoning using the hot dog stand example in the video is this: both stands move closer to the center to capture more of a competitor’s customers. If either stand moves, they’ll lose customers. So when competing on location, everyone wants the central location. This applies to gas stations, fast-food chains, and political candidates. Here at Zenput, it was important for us to understand this game theory concept, considering we work with two-thirds of these groups. (Sorry, we don’t currently have plans to enter the political realm anytime soon!)So if moving towards the center of the geographical market is a naturally occurring trend that makes sense for a brand, it also follows that convenience store operators should do everything in their power to stand out from their competitors.


In order to maintain revenue, it becomes crucial to be so in tune with your customer that you have the ability to react to changing conditions in real time.

Since Talkwar used the example of businesses on a beach, and we’re all longing for summer at this point, I’ll use the example of the first warm day of the season. the example of businesses on a beach, and we’re all longing for summer at this point, I’ll use the example of the first warm season of the day. Maybe that day sneaks up on you, and you hadn’t yet planned an in-store beverage promotion. Not only is it warm outside, but the day falls on a weekend. This is a prime opportunity to catch customers filling up for a weekend day trip. They’ll also be filling up right across the street at your competitor’s location. You decide to take action by launching an impromptu beverage promotion.

Now you don’t have signage on the drop of a dime, but you do have some well-positioned cold-cases located at the front of your store. You decide that every store should stock up those coolers with a selection of thirst-quenching beverages, from waters and sports drinks to lemonades and iced teas. Maybe you allow store managers to institute a buy-one-get-one deal on a well-stocked beverage. And while you’re managing the cold case, you make sure to stock it with the latest healthy snacks, yogurt and to-go fruit and veggie cups—everything that’s convenient to take on the road. Now you’re responding in real time to your customers’ needs!

So to recap what has happened in this example:

->The brand is responding in real time to forces (like Mother Nature) that are beyond your control.

-> The brand is taking advantage of a situation by offering a timely product assortment.

-> The brand is in tune with customer needs, which may earn a future visit.

Assuming the competitor across the street didn’t have a better executed promotion, your brand has won today!


Real-Time Response Is Within Reach

The example I used above may seem out of reach to some large-scale operators. But as a practitioner of reality, I’m here to tell you that any gas station and convenience store retailer with the right tools can execute and “think on their feet” in real time. Zenput’s real-time functionality enables that kind of response at the store level.

This is what the chain of events would look like:

-> Senior managers recognize a trend and make the executive decision that they want to promote certain items.

-> Senior managers push out a notification that, for instance, the cold case must be stocked immediately with certain items.

-> Regional and/or store-level managers receive that notification and move to arrange those items.

-> To ensure compliance, store-level managers are required to take a photo of the cold case once it’s stocked.

From Zenput’s central dashboard, senior managers would immediately be able to tell if stores were in compliance with this directive because Zenput would provide data on stores that weren’t. That’s right—you can virtually check into each store!

This isn’t utopia—it’s the power of real-time mobile technology. And it’s why Zenput is being used in more than 6,500 c-stores worldwide. In fact, more than 15,000 people will use Zenput today.  

Learn what Zenput can do to improve your store-level execution by scheduling a demo, or check out our testimonials page to learn more how our platform is helping other businesses like yours every day.

Topics: gas stations