Yesterday, BankInfoSecurity reported that Information Systems & Supplies Inc. (IS&S), a food-service POS and security systems provider, recently notified customers of a remote access breach that may have exposed card data from POS transactions. The article notes, “IS&S is an independent reseller of POS products sold by software vendor Future POS Inc. Future POS customers named on IS&S's site include restaurant chains such as Dairy Queen and TacoTime.”
In a letter to customers, IS&S said a LogMeIn account used by the company to remotely support customers was breached, and they have reason to believe that the data accessed could include credit card information.
According to the article, IS&S President Thomas Potter, “confirms that his company's remote access credentials were somehow compromised, possibly through a phishing attack,” and since identifying the breach its, “changed all of its LogMeIn credentials and now requires a secondary unique password for access to the system.” (IS&S should be commended for immediately notifying customers about the potential breach, as well as taking steps to improve remote access security.)
This breach is yet another wake up call for retail and hospitality chains to more closely evaluate their third-party vendors, particularly the tools they use to remotely access and support POS systems and networks. This can be very complicated in a franchise model because each franchise typically selects its own local POS and IT service vendors, who in turn select their own remote access tools. Even when these vendors implement modern remote access tools, they often use simple / shared login credentials with no multi-factor requirement making them an easy target for hackers with keystroke loggers.
Once hackers have legitimate credentials for the remote access system, they can pose as a legit support technician and potentially gain direct access to remote systems available to that account. From there, experienced hackers often know how to use malware and other tactics to navigate from that individual system to the rest of the corporate network. This puts the entire company at risk of a major data breach, which can be catastrophic for a brand.
At a minimum, franchisors must mandate that all vendors use a remote access tool that discourages shared credentials, captures a complete audit trail of all remote support activity, and supports multi-factor authentication. (Here is a 5 step guide to improving third-party remote access security that may help.)
But there's an opportunity for large retailers to take remote access security beyond simply publishing best practices.
Franchisors should consider implementing a secure, centrally managed, in-house remote support system that is readily available for use by their franchisees and any vendors that support those individual retail locations. Through this model, all remote access to local store POS systems would be centrally audited and recorded as a condition of the franchise agreement. By eliminating all of the different remote access tools connecting to a network, retailers can close the door on a major attack pathway for hackers.