Let the games begin.
It seems that Radiant Systems, a point of sale terminal company, and Computer World, the company that sold and maintained the Radiant system, are in a bit of a pickle. Seven restaurants are suing them for producing insecure systems that led to security breaches, which led to fines for the breached companies, chargebacks, card replacement costs, and investigative costs. These are real costs, people, none of that silly “lost business and reputation” garbage.
The credit card companies forced him to hire a forensic team to investigate the breach, which cost him $19,000. Visa then fined his business $5,000 after the forensic investigators found that the Radiant Aloha system was non-compliant. MasterCard levied a $100,000 fine against his restaurant, but opted to waive the fine, due to the circumstances.
Then the chargebacks started arriving. Bond says the thieves racked up $30,000 on 19 card accounts. He had to pay $20,000 and managed to get the remainder dropped. In total, the breach has cost him about $50,000, and he says his fellow plaintiffs have borne similar costs.
The breaches seemed to result from two failures – one by Radiant (who makes the system), and one by Computer World (who installed and maintained it).
- The Radiant system stored magnetic track data unencrypted, a violation of PCI standards.
- Computer World enabled remote access for the system (the control server on premise) using a default username and password.
While I’ve railed against PCI at times, this is an example of how the system can work. By defining a baseline that can be used in civil cases, it really does force the PoS vendors to improve security. This is peripheral to the intent and function of PCI, but beneficial nonetheless. This case also highlights how these issues can affect smaller businesses. If you read the source article, you can feel the anger of the merchants at the system and costs thrust on them by the card companies. Keep in mind, they are already pissed since they have to pay 2-5% on every transaction so you can get your airline miles, fake diamond bracelets, and cheap gift cards.
The quote from the vendor is priceless, and if the accusations in the lawsuit are even close to accurate, totally baseless:
“What we can say is that Radiant takes data security very seriously and that our products are among the most secure in the industry,” Paul Langenbahn, president of Radiant’s hospitality division, told the Atlanta Journal-Constitution. “We believe the allegations against Radiant are without merit, and we intend to vigorously defend ourselves.”
Maybe they can go join a certain ex-governor from Illinois on the next season of The Celebrity Apprentice, since they are reading from the same playbook.
There are a few lessons in this situation:
- The lines have moved, and PCI now affects civil liability and government regulation.
- PCI compliance, and Internet-based cardholder security, now affect even small merchants, even those without an Internet presence.
- We have a growing body of direct loss measurements (time to revise my Data Breach Costs model).
- We are seeing product liability in action… by the courts, not legislation.
- As with many other breaches, following the most basic security principles could have prevented these.
I think this last quote sums up the merchant side perfectly:
“Radiant just basically hung us out to dry,” he says. “It’s quite obvious to me that they’re at fault… . When you buy a system for $20,000, you feel like you’re getting a state-of-the-art sytem. Then three to four months after I bought the sytem I’m hacked into.”
Reader interactions
24 Replies to “Quick Thoughts on the Point of Sale Security Fail Lawsuit”
@David Mortman,
How do you know that Trustwave was in fact acting as a PA-QSA for Radiant Systems?
@David
“As a QIRA forensics investigator , I saw a 10 to 1 compromise rate of Micros over Radiant systems.”
Oooh… that sounds like fun 🙂
Do you think the blame is on the implementer or vendor in those cases?
I just found a POS Server running in a store that has a web server running on it from 2002. There are literally hundreds of security vulnerabilities that have been fixed and updates released. Not one of them applied. What does this imply about the rest of the system?
The POS vendor tells us it’s ‘PCI Compliant’. Actually, you passed a PA-DSS assessment. As others have already said (Anton) the vendors need to stop telling the world that their solution is PCI Compliant. There are plenty of us out here that truly understand PCI and will help companies to determine their compliance with PCI DSS.
nice example of service/support side of equation not supporting the application. Can service people open the machine up, get to desktop and copy the data on usb? Hard to believe Radiant stored unencrypted….
Little off topic to the other comments but it would be really interesting to see the report/scope of the QSA test to see how things like default passwords were missed.
With the Radiant POS Lawsuit one wonders if a Micros POS suite will follow? As a QIRA forensics investigator , I saw a 10 to 1 compromise rate of Micros over Radiant systems. Micros REM had such bad stretch of PCI failures.
The Blame Game goes more public in 2010! (Carr will be proud.)
Side benefit? More of these stupid implementations and choices and will hopefully be exposed.
@David
Yes, that is VERY true. So, there is a good chance that both sued parties are pretty darn guilty. I’ve seen the temp space “conundrum” as well- sometimes the vendor would say “…but it was there onyl for a short time” … aha .. like forever? 🙂
Especially given that QSA(Heartland)=PA-QSA(Radiant) 🙂
@ Anton,
I knew of several cases where the vendor was on the list HOWEVER, the application was still retaining strip card data. The database was still retaining CHD in temp space, something the retailer and the QSA neglected in both the DSS and the Implementation Guide. Yes, these systems were listed on Visa’s web site as compliant, yet weren’t. PCI does not take account for Human failings, as we see all too often.
I ended up working with the US SS and the HNP to watch what was used as attck vectors. It was interesting.
@david
Don’t know… but I would not be shocked AT ALL if it was on the list legitimately. However, the scope of blame is hard to place without the details of the actual tool: e.g was the tool VERY EASY to deploy in a non-compliant manner vs VERY HARD in PCI DSS compliant manner?
I suspect the details will emerge whenever… however, the case will help enlighten those merchants who feel “PCI good” after seeing a PA-DSS app.