Blog

Quick Thoughts on the Point of Sale Security Fail Lawsuit

By Rich

Let the games begin.

It seems that Radiant Systems, a point of sale terminal company, and Computer World, the company that sold and maintained the Radiant system, are in a bit of a pickle. Seven restaurants are suing them for producing insecure systems that led to security breaches, which led to fines for the breached companies, chargebacks, card replacement costs, and investigative costs. These are real costs, people, none of that silly “lost business and reputation” garbage.

The credit card companies forced him to hire a forensic team to investigate the breach, which cost him $19,000. Visa then fined his business $5,000 after the forensic investigators found that the Radiant Aloha system was non-compliant. MasterCard levied a $100,000 fine against his restaurant, but opted to waive the fine, due to the circumstances.

Then the chargebacks started arriving. Bond says the thieves racked up $30,000 on 19 card accounts. He had to pay $20,000 and managed to get the remainder dropped. In total, the breach has cost him about $50,000, and he says his fellow plaintiffs have borne similar costs.

The breaches seemed to result from two failures – one by Radiant (who makes the system), and one by Computer World (who installed and maintained it).

  1. The Radiant system stored magnetic track data unencrypted, a violation of PCI standards.
  2. Computer World enabled remote access for the system (the control server on premise) using a default username and password.

While I’ve railed against PCI at times, this is an example of how the system can work. By defining a baseline that can be used in civil cases, it really does force the PoS vendors to improve security. This is peripheral to the intent and function of PCI, but beneficial nonetheless. This case also highlights how these issues can affect smaller businesses. If you read the source article, you can feel the anger of the merchants at the system and costs thrust on them by the card companies. Keep in mind, they are already pissed since they have to pay 2-5% on every transaction so you can get your airline miles, fake diamond bracelets, and cheap gift cards.

The quote from the vendor is priceless, and if the accusations in the lawsuit are even close to accurate, totally baseless:

“What we can say is that Radiant takes data security very seriously and that our products are among the most secure in the industry,” Paul Langenbahn, president of Radiant’s hospitality division, told the Atlanta Journal-Constitution. “We believe the allegations against Radiant are without merit, and we intend to vigorously defend ourselves.”

Maybe they can go join a certain ex-governor from Illinois on the next season of The Celebrity Apprentice, since they are reading from the same playbook.

There are a few lessons in this situation:

  • The lines have moved, and PCI now affects civil liability and government regulation.
  • PCI compliance, and Internet-based cardholder security, now affect even small merchants, even those without an Internet presence.
  • We have a growing body of direct loss measurements (time to revise my Data Breach Costs model).
  • We are seeing product liability in action… by the courts, not legislation.
  • As with many other breaches, following the most basic security principles could have prevented these.

I think this last quote sums up the merchant side perfectly:

“Radiant just basically hung us out to dry,” he says. “It’s quite obvious to me that they’re at fault… . When you buy a system for $20,000, you feel like you’re getting a state-of-the-art sytem. Then three to four months after I bought the sytem I’m hacked into.”

No Related Posts
Comments

This is nothing compared to the mess that is Aloha.

1) The Administrator is added to the guest group.
2) The root drive is shared R/W on the server and all the terminals.
3) If a password is used, it’s the same one for every location.
4) Remote access is PCAnyware.
5) Windows updates are almost never applied.

In the restaurants I was in charge of, I built a “walled garden” around the POS system and we never had a problem.
However, in any other shop, getting access to everything did not require anything but the basic computer knowledge.

By Aloha Installer


@Walter

It’s on the link above in my first comment. (https://www.pcisecuritystandards.org/security_standards/vpa/vpa_approval_list.html?mn=&vn=115&ap=0&rdSort=1&rdSortOrder=1&rg=0)

By David Mortman


It is a matter of public record. All PA-DSS applications which have past certification can be found on Visa (pre 2009) and now on .pcisecuritystandards.org.

As for Heartland, that has been released publicly.  Oh, and I actually know the person who did the certification.

By david


@walter it is on PCI Co site….

By Anton Chuvakin


@David Mortman,

How do you know that Trustwave was in fact acting as a PA-QSA for Radiant Systems?

By Walter


@David

“As a QIRA forensics investigator , I saw a 10 to 1 compromise rate of Micros over Radiant systems.”

Oooh… that sounds like fun :-)

Do you think the blame is on the implementer or vendor in those cases?

By Anton Chuvakin


I just found a POS Server running in a store that has a web server running on it from 2002.  There are literally hundreds of security vulnerabilities that have been fixed and updates released.  Not one of them applied.  What does this imply about the rest of the system?

The POS vendor tells us it’s ‘PCI Compliant’.  Actually, you passed a PA-DSS assessment. As others have already said (Anton) the vendors need to stop telling the world that their solution is PCI Compliant.  There are plenty of us out here that truly understand PCI and will help companies to determine their compliance with PCI DSS.

By Kenneth Smith


nice example of service/support side of equation not supporting the application. Can service people open the machine up, get to desktop and copy the data on usb? Hard to believe Radiant stored unencrypted….

By craig keefner


Little off topic to the other comments but it would be really interesting to see the report/scope of the QSA test to see how things like default passwords were missed.

By CG


With the Radiant POS Lawsuit one wonders if a Micros POS suite will follow? As a QIRA forensics investigator , I saw a 10 to 1 compromise rate of Micros over Radiant systems. Micros REM had such bad stretch of PCI failures.

By David


If you like to leave comments, and aren’t a spammer, register for the site and email us at info@securosis.com and we’ll turn off moderation for your account.