Risks posed by third parties are an ongoing problem for U.S. merchants because some point-of-sale vendors are overlooking basic security measures.
See Also: Rethinking Endpoint Security
Last week, in the wake of an alert from American Express about the breach of a third-party service provider, I pinged security experts and card issuers to see if I could determine which provider may have been referred to in the AmEx alert. The notice from AmEx, which first appeared on the California Attorney General's website March 10, turned out to be a mistake and was taken down. An AmEx spokesperson told me that the breach referred to in the alert, which affected California card holders, actually involved a merchant and not a third party, but declined to share further details.
"The trend we are seeing right now is more attacks against restaurant groups."
Nevertheless, fraud-fighting experts and issuers stress that risks posed by third parties are an ongoing problem for U.S. merchants. That's why POS vendors and service providers need to be held more accountable for merchant-level security.
Some banks tell me that for the last six months, they've seen fraud linked to several Asian restaurant chains on the West Coast that are served by the same third-party point-of-sale integrator based in California.
What's more, numerous fraud-fighting sources report that POS service provider breaches are increasingly targeting smaller restaurant chains throughout the country. And it's becoming increasingly challenging for issuers to trace fraud back to a single point of compromise.
"There have been a ton of breaches for some time, and the trend we are seeing right now is more attacks against restaurant groups," one leading card issuer on the West Coast tells me.
Most of these breaches, the issuer says, are tied back to the breach of POS integrators or other types of service providers - typically those that uses remote access tools such as LogMeIn to access POS devices and systems used by numerous merchants.
Third-party breaches generally stem from the compromise of log-in credentials, usually through a phishing attack. In some cases, the log-in credentials to access the POS are easy to guess.
Lessons Not Learned
As one fraud-fighting source told me: "The lessons of IS&S have not been learned by all integrators of the world. Phishing emails still seem to be a vulnerability."
IS&S refers to Vancouver, Wash.-based food-service POS and security systems provider Information Systems & Supplies Inc., which in June 2014 notified restaurant customers of a remote-access compromise that may have exposed card data linked to POS transactions conducted between Feb. 28 and April 18, 2014 (see POS Vendor: Possible Restaurant Breach).
IS&S is an independent reseller of POS products sold by software vendor Future POS Inc.
The breach was linked to the compromise of IS&S's LogMeIn account, likely because of a phishing attack that led to the compromise of administrator credentials, IS&S President Thomas Potter told me shortly after the breach was exposed.
What's Going Wrong?
POS service providers need to ensure that they are not using default passwords for remote access login to POS systems and devices, and that the same login credentials are not used to access POS systems at multiple merchants. Unfortunately, however, these types of basic security measures are too often skipped.
Clearly, both POS vendors and service providers need to be held more accountable for compliance with basic security standards, including the PCI Data Security Standard.