Monday, October 5, 2015

INTERACT systems being targeted at retailers as criminals exploit it to the tune of $5000 a shot


Organized criminals are taking assault on poorly secured Payment Terminals leaving store owners assuming the loss.

As various news agencies reported over the last few days, Interact card processing systems used in various retail operations are being targeted by criminals.  


 TVA NOUVELLES - 25 septembre 2015


At a privately held Fraud Summit that I was invited to speak last week, it became clear that this is a pretty big problem as police investigators started sharing their experiences following my talk which touched briefly on the subject.  At least 20 cases in the room.

A specific service provider (EVALON) appears to be a common target, as their default password for performing a refund to a debit card is the ever so secure 0000.

Not only is this a bad password, it is also indicated in the configuration manual available on the Internet.

The strategy is simple, two individuals go into a retail store (convenience store, restaurant, etc.) and purchases something.  When the debit machine is handed to the client, the accomplice distracts the clerk so his partner can cancel out the transaction and activate the REFUND (CREDIT) function of the system, using the 0000 password and authorizing a $5000 credit onto the criminals debit card.

The store in question will only notice the issue when they attempt to balance out the sales transactions at the end of the day.

So far, the criminals have been smart enough to only use debit cards associated with bank accounts opened with false identifies and not their own personal accounts.  

BAD DESIGN

Three things stink to high heaven with all this.

1) The most obvious.... the code being 0000 on production systems is nothing short of mind blowingly stupid.

2) When they started receiving calls from their clients claiming they where robbed of $5000, why hasn't the company supplying these devices reached out to their clients to explain to them they should change their 0000 password ?

3) And finally, the most important one.....   Why is the system design stuck in the 1800's.  Any security engineer will tell you that the device should impose a password change during the initial configuration and activation process.  This means that before the new plastic smell is gone, and before the DNA of a second person touches the device, that password should have been changed.   Default passwords forced to be changed before the system accepts its first debit / credit card is the only reasonable design.  

This is a beautiful example of lazy, low quality software engineering.

The company pushing these out the door to their "clients" is basically saying they prefer to rely on people reading the manual  and realizing the impact of not changing this code instead of locking it down right from the start.

Crossing your fingers hoping the end user gets it is not sound engineering.  Building it in a way that PREVENTS their clients from doing a stupid... stupid... thing... is the way to go.

Some retailers have nothing to worry about.  The processing architecture of many mature retailers often relies on the POS system authorizing a credit and only then will the paiement terminal process it.  Limits are often imposed to further protect against abuse/fraud.  

However, if you have an all in one independent POS/PT  that is not attached or controlled by an enterprise POS, you may be at risk.  You may want to make sure your password is of good quality, and that you have changed it at some point since spanish inquisition so ex-exployees don't still have it.



Now keep in mind that these systems have been thoroughly tested, attested and certified to be PCI-DSS compliant.  That was a joke by the way....  

As we can all see, there are three important life lessons learnt here:

1) Compliance does not mean secure.  

2) Common sense is not to be assumed. 

and 

3) Trust in your so called business partners to "do the right thing" is as ridiculous as having 1234 as your banking PIN.



_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique University in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies
www.eva-technologies.com










Are we even trying over at BRP

This will be a short blog entry.  Essentially, a general observation. If your enterprise was breached and screenshots of user account passwo...