POS Security

[TheMagicJBone]

I am paranoid. I'll just get that out there at the get-go. But...

Anybody else notice an increase in the requests for help with things like getting access to transaction log data, making payment processing software do X, Y, and/or Z, getting terminals to work in FOH/BOH mode without keys, third-party interface design, or other stuff like that? I've only seen it on the Aloha-related threads, but that might just be because Aloha is my deal, and I have neither questions nor advice to offer about any other POS system.

I'm mainly concerned that the bad guys have started to focus on hospitality POS systems as potential targets for attack, and are trying to milk whatever resources they can (us, in this case) to get more familiar with their intended victims.

I'm not going to point out any specific threads, as there's a good likelihood that this is just my paranoia talking. If you want to see what I'm talking about, just keep the topic in mind and take a cruise through the forum. It's not hard to spot when you're actually looking for it.

And think about this: You're a credit card thief. You've realized that restaurants, hotels, etc deal with lots of cards. You have some basic skills, or have hired someone who does, but the documentation and code is sparse, and you need more info to mount a campaign with any chance of success. Where do you go?

Even if this isn't happening now, it might not be a bad idea to think about who is asking the question you're about to answer. Whether a poster is a frustrated restaurant operator, a reseller technician who can't come up with a fix, or some script kiddie looking to get rich, I ask myself a question before I start answering theirs: Should this person have the knowledge they're looking for?

 

[RokStar]

I totally agree.
There has been a huge spike in new users on this forum particularly.
It was pretty contained for a very long time, and then suddenly it's the most popular place on the interwebs.
I am also very suspicious.

 

[posknowitall]

And sensitive information is always simply handed out...No questions asked. Alt-x, full Aloha loads,ways around Aloha security.

 

[coorsman]

And none of the "sensitive information simply handed out" would need to be if the OWNER of he Aloha software were not locked out of and trained in using 100% of what they paid for.

I don't see any other software vendors listed in this forum other tha Aloha and Micros.

They might be the biggest in the POS world but they are the most protective and non instructive of user and manager rights in accessing all the available features in the software.

Cheers,
Coorsman

 

[DrZogg]

Agree. I have pulled back in two areas: firstly users that are looking into areas which will open a bigger can of worms. Secondly where people are looking for access to logs, databases, installers, test environments. I am probably overly cautious now.

 

[TheMagicJBone]

I'm with ya, Coors. But the trainability of our end-users is compromised by the amount of training time their boss is willing to pay them for, the amount their boss is willing to pay us for, the quality of the training itself (which varies from reseller to reseller), and the users' ability and motivation in training.

I just don't want to see somebody's front door kicked down by Homeland Security for hosting a couple Aloha ISOs, and especially not the board's highest-ranked MVP by (as near as makes no difference) a factor of two.

TL;DR: It sucks, but it beats being arrested, so CYA.

 

[DrZogg]

Back again. This is a broad topic and I am not sure if I understand all of it. As TheMagic Bone says in regard to training, currently owners are tightening expenditure on training, education, and installations we are winning currently are for really basic POS systems like CRE. Comparing these to a Micros installation that takes 7 days, setup cost minimalisation seems more important than users having thorough knowledge.

On the Homeland Security thing- are you talking about them investigating after a host has been compromised or due to using unlicensed software / unlicensed features? I am not familiar with Homeland Securitys scope of operation.

 

[TheMagicJBone]

That was exaggeration. I meant that I don't want some scumbag to take advantage of the help here to steal credit card data, and see a member of the site get in trouble for providing the help.

 

[DrZogg]

All the systems I deal with, dont capture or store CC data. The card payment systems (integrated or non integrated) have a transaction number, leading and trailing numbers for the credit card with the middle numbers masked. I guess the businesses that need to store and access CC numbers would be those that do monthly invoicing / charging, or rental places such as rental cars, where fines may need to be charged to drivers. Or those running memberships / accounts.

Even Micros no longer stores / retrieves the CC data internally, its their card payment system that captures that data, and even then its encrypted and not useable.

Cheers again Magic

 

[TheMagicJBone]

Yeah, that's the way Aloha is doing it these days, more or less. My concern is that the environment may be compromised, and have something (like a keylogger for instance) installed. If that were to happen, and it wouldn't be the first time, the storage wouldn't matter, because the bad guys would be capturing it live. I don't want them to figure out how, especially not with our help.