Login  |  Register  |  Contact

Quick Thoughts on the Point of Sale Security Fail Lawsuit

Let the games begin.

It seems that Radiant Systems, a point of sale terminal company, and Computer World, the company that sold and maintained the Radiant system, are in a bit of a pickle. Seven restaurants are suing them for producing insecure systems that led to security breaches, which led to fines for the breached companies, chargebacks, card replacement costs, and investigative costs. These are real costs, people, none of that silly “lost business and reputation” garbage.

The credit card companies forced him to hire a forensic team to investigate the breach, which cost him $19,000. Visa then fined his business $5,000 after the forensic investigators found that the Radiant Aloha system was non-compliant. MasterCard levied a $100,000 fine against his restaurant, but opted to waive the fine, due to the circumstances.

Then the chargebacks started arriving. Bond says the thieves racked up $30,000 on 19 card accounts. He had to pay $20,000 and managed to get the remainder dropped. In total, the breach has cost him about $50,000, and he says his fellow plaintiffs have borne similar costs.

The breaches seemed to result from two failures – one by Radiant (who makes the system), and one by Computer World (who installed and maintained it).

  1. The Radiant system stored magnetic track data unencrypted, a violation of PCI standards.
  2. Computer World enabled remote access for the system (the control server on premise) using a default username and password.

While I’ve railed against PCI at times, this is an example of how the system can work. By defining a baseline that can be used in civil cases, it really does force the PoS vendors to improve security. This is peripheral to the intent and function of PCI, but beneficial nonetheless. This case also highlights how these issues can affect smaller businesses. If you read the source article, you can feel the anger of the merchants at the system and costs thrust on them by the card companies. Keep in mind, they are already pissed since they have to pay 2-5% on every transaction so you can get your airline miles, fake diamond bracelets, and cheap gift cards.

The quote from the vendor is priceless, and if the accusations in the lawsuit are even close to accurate, totally baseless:

“What we can say is that Radiant takes data security very seriously and that our products are among the most secure in the industry,” Paul Langenbahn, president of Radiant’s hospitality division, told the Atlanta Journal-Constitution. “We believe the allegations against Radiant are without merit, and we intend to vigorously defend ourselves.”

Maybe they can go join a certain ex-governor from Illinois on the next season of The Celebrity Apprentice, since they are reading from the same playbook.

There are a few lessons in this situation:

  • The lines have moved, and PCI now affects civil liability and government regulation.
  • PCI compliance, and Internet-based cardholder security, now affect even small merchants, even those without an Internet presence.
  • We have a growing body of direct loss measurements (time to revise my Data Breach Costs model).
  • We are seeing product liability in action… by the courts, not legislation.
  • As with many other breaches, following the most basic security principles could have prevented these.

I think this last quote sums up the merchant side perfectly:

“Radiant just basically hung us out to dry,” he says. “It’s quite obvious to me that they’re at fault… . When you buy a system for $20,000, you feel like you’re getting a state-of-the-art sytem. Then three to four months after I bought the sytem I’m hacked into.”

—Rich

No Related Posts
Previous entry: Cloud Risk Thoughts: Deciding What, When, and How to Move to the Cloud | | Next entry: Top Questions Regarding Guardium Acquisition

Comments:

If you like to leave comments, and aren't a spammer, register for the site and email us at info@securosis.com and we'll turn off moderation for your account.

By Anton Chuvakin  on  12/01  at  12:34 PM

Another important angle of this was that (reportedly) it was the PA-DSS compliant app which was deployed (by the sued implementer) in a BLATANTLY non-PCI DSS compliance manner.

Today, some apps from Radiant are on the PA-DSS list now, so we can’t say for sure that the deployed one was PA-DSS OK (it was rumored to be so). However, we do know that it was deployed in non-PCI-compliant manner.

Sadly, many merchant believe that “PA-DSS app confers magic PCI compliance on them: :-)

By David Mortman  on  12/01  at  12:35 PM

It gets better:

According to http://www.prlog.org/10425165-secret-service-investigation-class-action-lawsuit-cast-shadow-over-radiant-systems-and-distributo.html:

“A special investigation by the United States Secret Service (the agency responsible for investigating cases of credit card fraud and identity theft) was also conducted given the multitude of Radiant POS systems subject to security breaches throughout Louisiana and Mississippi and the findings by the forensic reports that Computer World

By Anton Chuvakin  on  12/01  at  12:42 PM

David,  you are falling for the same confusion!

1. The app was “PA-DSS compliant” (from the above) - i.e. it was “on the list”
2. The app was deployed NOT in PCI DSS compliant manner (from all the reports)

The 1 and 2 have very little to do with each other and there is no confusion.

By David  on  12/01  at  12:44 PM

Having worked on numerous forensics cases which involved this POS vendor and others, for restaurants ranging in size from the mom’s and pop’s to the major franchises, I can say with out a doubt, most of these merchants never heard of PCI, it was most likely a line item in their merchant bank’s renewal paper work. To these merchants, they purchased an appliance which was a POS for the use of selling food and drinks. Then they are told they are a Common Point of Purchase and are required to hire a forensics examiner. Most of the times, these mom and pop’s are put out of business due to the legal fees and fines (of the 75 cases I have worked I never knew Visa/Mcard to drop fines). And the most unfair issue is that compared to the large merchants (Fortune 2000) the fines are way out of proportion. We would be seeing $400 Million fines for the largest compromises if PCI Co. were fair.

By Bill Pennington  on  12/01  at  12:53 PM

If Radiant is the “most secure in the industry” then the industry must be pretty bad.

I don’t know anything about the system but I can see a situation where computer world might be the total culprit. Perhaps they setup the system to store the magnetic track data when they should not have? I guess it will all come out, but it is possible Radiant is the “most secure” but the person setting it up made it the most insecure.

How did this pass an ASV audit though? seems like default passwords are exactly the type of thing quarterly scans should pickup. Perhaps POS makers should be required to submit default user/pass info to scan vendors?

By Scott  on  12/01  at  01:14 PM

Screw PCI, Mastercard and Visa. Deal in cash only! The shops like it and you’ll never put another nickle in the payment processor’s pocket.

By Bill Pennington  on  12/01  at  01:19 PM

Wow if the VAR was that shady makes you wonder if they where getting paid off or involved with the data theft directly.

By Rich  on  12/01  at  01:19 PM

Heck- cash also makes you MUCH more aware of how much you are actually spending.

By David Mortman  on  12/01  at  01:30 PM

@Anton

I understand it was on the list. I was just raising the question of whether or not it was legitimately on the list.  I.e. did the QSA miss something? Or was it properly assed but misinstalled? Or both? Seems weird that track data was being stored and could see it being screwed up in either stage.

By Bill Pennington  on  12/01  at  01:43 PM

@Scott cash is great and all but a real hassle to carry around. From a consumers point of view I think CCs are more secure than cash. My CC gets stolen I am out maybe $50 tops, if I carry more than $50 cash it is all done if it gets taken.

By Anton Chuvakin  on  12/01  at  01:53 PM

@david

Don’t know… but I would not be shocked AT ALL if it was on the list legitimately. However, the scope of blame is hard to place without the details of the actual tool: e.g was the tool VERY EASY to deploy in a non-compliant manner vs VERY HARD in PCI DSS compliant manner?

I suspect the details will emerge whenever… however, the case will help enlighten those merchants who feel “PCI good” after seeing a PA-DSS app.

By David  on  12/01  at  02:02 PM

@ Anton,
I knew of several cases where the vendor was on the list HOWEVER, the application was still retaining strip card data. The database was still retaining CHD in temp space, something the retailer and the QSA neglected in both the DSS and the Implementation Guide. Yes, these systems were listed on Visa’s web site as compliant, yet weren’t. PCI does not take account for Human failings, as we see all too often.
I ended up working with the US SS and the HNP to watch what was used as attck vectors. It was interesting.

By Anton Chuvakin  on  12/01  at  06:07 PM

@David

Yes, that is VERY true. So, there is a good chance that both sued parties are pretty darn guilty. I’ve seen the temp space “conundrum” as well- sometimes the vendor would say “...but it was there onyl for a short time” ... aha .. like forever? :-)

Especially given that QSA(Heartland)=PA-QSA(Radiant) :-)

By LonerVamp  on  12/02  at  08:32 AM

The Blame Game goes more public in 2010! (Carr will be proud.)

Side benefit? More of these stupid implementations and choices and will hopefully be exposed.

By David  on  12/02  at  10:27 AM

With the Radiant POS Lawsuit one wonders if a Micros POS suite will follow? As a QIRA forensics investigator , I saw a 10 to 1 compromise rate of Micros over Radiant systems. Micros REM had such bad stretch of PCI failures.

By CG  on  12/02  at  01:15 PM

Little off topic to the other comments but it would be really interesting to see the report/scope of the QSA test to see how things like default passwords were missed.

By craig keefner  on  12/03  at  12:01 PM

nice example of service/support side of equation not supporting the application. Can service people open the machine up, get to desktop and copy the data on usb? Hard to believe Radiant stored unencrypted….

By Kenneth Smith  on  12/03  at  12:43 PM

I just found a POS Server running in a store that has a web server running on it from 2002.  There are literally hundreds of security vulnerabilities that have been fixed and updates released.  Not one of them applied.  What does this imply about the rest of the system?

The POS vendor tells us it’s ‘PCI Compliant’.  Actually, you passed a PA-DSS assessment. As others have already said (Anton) the vendors need to stop telling the world that their solution is PCI Compliant.  There are plenty of us out here that truly understand PCI and will help companies to determine their compliance with PCI DSS.

By Anton Chuvakin  on  12/03  at  01:21 PM

@David

“As a QIRA forensics investigator , I saw a 10 to 1 compromise rate of Micros over Radiant systems.”

Oooh… that sounds like fun :-)

Do you think the blame is on the implementer or vendor in those cases?

By Walter  on  12/07  at  03:29 AM

@David Mortman,

How do you know that Trustwave was in fact acting as a PA-QSA for Radiant Systems?

By Anton Chuvakin  on  12/07  at  02:26 PM

@walter it is on PCI Co site….

By david  on  12/07  at  02:31 PM

It is a matter of public record. All PA-DSS applications which have past certification can be found on Visa (pre 2009) and now on .pcisecuritystandards.org.

As for Heartland, that has been released publicly.  Oh, and I actually know the person who did the certification.

By David Mortman  on  12/07  at  02:34 PM

@Walter

It’s on the link above in my first comment. (https://www.pcisecuritystandards.org/security_standards/vpa/vpa_approval_list.html?mn=&vn=115&ap=0&rdSort=1&rdSortOrder=1&rg=0)

By Aloha Installer  on  12/27  at  02:20 PM

This is nothing compared to the mess that is Aloha.

1) The Administrator is added to the guest group.
2) The root drive is shared R/W on the server and all the terminals.
3) If a password is used, it’s the same one for every location.
4) Remote access is PCAnyware.
5) Windows updates are almost never applied.

In the restaurants I was in charge of, I built a “walled garden” around the POS system and we never had a problem.
However, in any other shop, getting access to everything did not require anything but the basic computer knowledge.

Name:

Email:

Remember my personal information

Notify me of follow-up comments?