Progressive Grocer Independent

FEB 2016

Issue link:

Contents of this Issue


Page 25 of 43

Data Security Business & Sons' attention. "Our network company, the POS company, the software company and the POS sup- port company had all told us nobody could get into our network," Heskestad says. "Even if they could get into our network, they wouldn't be able to ac- cess the card information. Even if they could access the credit card informa- tion, it was encrypted. Even if they could access that encrypted credit card information, they could never get it back out of the network." Tis proved not to be true. After several customers alerted the store that the credit cards they had last used in the store had been compro- mised, DeCicco & Sons began to in- vestigate. Heskestad worked with the POS supplier to scan the registers. A few unencrypted numbers were found, only about 2 percent of the transac- tions, says John DeCicco Jr., president of DeCicco & Sons. Te solution appeared to be a patch that had been released to fx a known faw in the POS software. Te store installed the patch and fgured the problem was solved. "We assured cus- tomers that we had fxed the problem," DeCicco says, "but to make a long story short, we did not fx the problem." Dogged Efforts Customers continued to report com- promised credit cards. After another scan, the IT team found the mal- ware fle. Windows Extension has a WINHelp fle that runs as part of the system. Te malware fle was almost identically named WNHelp, so it went undetected when the system was scanned for viruses. Once it was found, it was deleted from all of the registers, which were then wiped clean and had the software reinstalled. To keep the stores operating and accepting credit cards, DeCicco & Sons switched the credit card ter- minals from internet access to wired phone lines for processing. In fact, the internet was completely shut down. "You quickly realize how dependent you become as a business on the inter- net," Heskestad says. "It's fle sharing, it's DropBox, it's email, it's Googling something for a customer. Without internet, you're really crippled, but that was our instant fx to ensure the prob- lem didn't compound anymore." Te initial "fx" took about a week to resolve from the time the problem was frst reported to the reinstallation of the software, during which time the DeCicco IT group, outside IT professionals and the POS provider worked around the clock. However, in total, it took months to resolve be- cause all of the stolen numbers weren't discovered immediately. "We were happy that as such a small company, we were able to fnd the problem, solve it and alleviate it that fast," DeCicco says. Reaching Out DeCicco & Sons contacted local police to report the hack, but unfortunately, they were unable to help in track- ing where the attack came from. Te company also contacted the FBI and Secret Service, but again, received little guidance, as the DeCicco & Sons attack occurred at the same time that government emails were compromised. Even reaching out to the credit card companies for a list of potential cus- tomers, so as to be proactive in alerting those whose accounts may have been compromised, went nowhere. "We're a small business, and we care about the communities we're in," Heskestad says. "We'd like to reach out and say, 'You should get your card replaced because there's a possibility it may get hacked.' But despite repeated requests [to the credit card companies], that never happened." DeCicco & Sons did put an alert on Facebook to warn customers that the store's POS system had been compro- mised. Te post quickly went viral: It was shared 20,000 times in just a couple of hours. To help prevent future attacks, the company upgraded to VLANs, or vir- tual local area networks, and segregat- ed all of the networks and stores onto separate VLANs, which took another fve months to complete. "It was very difcult to implement because people who had access to things a certain way now had to take 10 extra steps to get information that used to be one click away," DeCicco says. "But it made the whole network across all the stores much more secure." Tose 10 extra steps include multiple passwords, and no direct access to certain areas from PCs or other VLANs. For example, staf can't access the POS system unless they're on the POS system. All of these steps fall in line with what industry experts recommend. 26 | Progressive Grocer Independent | February 2016 PCI-compliant does not equal secure. And EMV is not a universal cure; it protects against the stealing of chip data and creating counterfeit chip cards, but doesn't protect against card-not-present fraud, such as internet or mobile transactions. Card-not- present represents 41 percent of fraud cases. —Shazam Fraud Prevention Tips Use the following ideas to help mitigate fraud and opportunities for hackers to gain access to your system: Implement strong access control measures. Regularly monitor and test networks. Maintain an information security portal. Destroy all obsolete media containing cardholder information. Source: Shazam

Articles in this issue

Archives of this issue

view archives of Progressive Grocer Independent - FEB 2016