Remote Access Security
When it comes to remote access security, merchants should follow both PCI DSS and PABP guidelines and protocols, along with the suggestions in the CISP bulletins.
In the TJX example, hackers were able to access the company's computer network, remotely, by allegedly disguising themselves as repairmen.
They literally walked in the door, took command of the remote access kiosk, and easily gained access to thousands of credit card numbers, PIN numbers, with a few keystrokes and a possible dummy PIN keypad.
Stand-alone-POS kiosks are everywhere, and merchants use them for a variety of reasons. Banks have stand-alone kiosks at almost every convenience store, grocery store, or shopping malls.
Most of the software that runs the POS system consists of high-speed Internet connections, which rum through the POS terminals and connect to the host.
Any hacker, who has knowledge of visually driven or command line POS software, can easily break into a network, from a remote terminal, especially if the software is not configured properly, or if the software has security holes that have gone un-patched.
Hacking into the un-patched remote software is the most popular method that hackers use to break into POS systems.
What merchants need to be asking their POS software vendor are the following questions:
- What type of remote management software is in use?
- Who has access to the remote management software in use?
- Is the software installed and configured properly?
- Are default settings used?
- How do you manage passwords? What types of passwords are used? Are they considered strong passwords?
- Are security holes found and patched on a consistent basis? How are they found?
- What type of encryption and logging configurations are used?
- What other types of safeguards can you (POS software vendor) install, in order to make the system secure?
- Are you in full compliance with PCI DSS?
 Print this page
 Send this page to a friend
|
