back to article Foodies sue providers of hacked payment system

A group of restaurants is demanding millions of dollars in damages from two companies accused of selling point-of-sale terminals that exposed customer data to criminal hackers. In a complaint filed in Louisiana state court, the restaurants claim the Aloha POS software manufactured by Georgia-based Radiant Systems failed to …

COMMENTS

This topic is closed for new posts.
FAIL

As acronyms go

the one for Point of Sale is really unfortunate, particularly in cases like this.

1
0
Bronze badge
Pirate

re: as Acronyms go

Unfortunate, or accurate?

0
0
Thumb Up

About time too!

Why do tech equipment suppliers get away with supplying kit that's not fit for purpose?

- Why did noone hit by the Microsoft email viruses sue them for ignoring the security sections in the MIME RFCs and so opening the gates wide to them?

- Please please PLEASE can I get compensation from the suppliers of car and building alarms that go off every time there's a bit of wind&rain!

... etcetera.

Good to hear someone is taking action, albeit in a distant country and over a relatively obscure matter!

0
0
Go

This is exactly how this should unfold

This is exactly what should happen in this case. They end user had a good faith effort to have a secure environment through a vendor. The vendor stated they were compliant with PCI standards, which has been proven to be false.

The end user paid their victims back for their charges, and now seek to be made whole from their vendor. The POS company and vendor have no one to blame but themselves for this one.

Having done professional audits, I was always very careful, knowing that my written report was relied on. I didn't dare put anything in that could not be proven in a court of law or sign something off to make someone's life easier.

Turned out that sometimes such reports did get read, and the auditors report was enough to get the budget to fix the problems. Point being when a customer is paying someone to say they are 'ok', you are now taking responsibility that they are in fact 'ok'.

0
0
FAIL

Are they a UK based business / Gov Department...

"What we can say is that <insert Name> takes data security very seriously"

How many time have we heard that in the UK!

I hope they get sued so badly they go bust, just for their utter arrogance in saying the above sentance. Their terminals have proved non compliant yet they still spout this marketing drivel.

0
0
Grenade

Far too common.

I have lost count of the number of compainies I have been to where all the credit card data is stored including cv2 digits... there really needs to be a hotline for reporting the stupid companies who think this is good practice...

This includes various third party software systems also these people should know better!

0
0
Megaphone

Call the card companies...

The PCI compliance program is very stringent. If someone is not compliant they mat lose their ability to process that particular brand of card (MasterCard, Visa, etc.). I didn't bother looking for any kind of contact information but I'm sure there is a way you could report these issues to the card companies anonymously. I work in a retail company now but used to work in a hospital for many years. The staff here gets just as anxious about PCI audits as hospital staff used to be about HIPAA compliance. I mean even the software industry has the BSA. I'm sure the card companies would be interested in hearing these stories because the fraud obviously costs them and their business partners money.

0
0
Grenade

Merchants want to get paid for the risk to their customers now?

"criminal hackurs"? What a convoluted way to say "electronic theft". But aside from that, the credit card security system is laughable on its face. To "pay" you hand over all the credentials to the merchant, who combines the whole thing with a nice fat bill to send it off to some third party processor. Then it suddenly doesn't matter that one of the numbers was written on the backside of the card. You've just given them all away. All. Of. Them. Like giving your PIN to your CHIP+PIN card away, only now it's a fundamental requirement of the transaction. Any party to the transaction with a copy of the information is a viable target for a thief.

How many parties? Well, it starts with you. Then there's the merchant, his payment processor, the cc company, your bank, maybe their payment processors too. Everyone will (well, should, duh) have backups that may or may not be encrypted and could be accidentally lost on the way to or from the off-site backup storage, by courier, both of which in turn are another company. Who else has access? Hm, what about accountants and even the revenue service? I'm sure I forgot a few. And that is when everything goes just peachy fine. If the paper trail wasn't enough already, this would be reason enough for me to not have a credit card.

0
0
Bronze badge
WTF?

Missed point, or paranoid ramblings? ..unless you are much smarter than everyone I know (of)

I ask of you, how would you propose a card/chip based transaction that does not include every detail needed to verify it?

The trick to this, and where Aloha fell down, was that the credentials are stored very temporarily in volatile memory. The processing company stores the credentials somewhat more permanently (in a queue) but still with a TTL measured in minutes to fractional hours, and behind a much more robust security system, usually with encryption.

I'm not sure where you got the idea of backups of full creds from, at most the backups are of a summarized, redacted set to ID the transaction, but not enough to duplicate the transaction, or create another one. Other than you (on the card/chip) the PoS terminal, the processing co., and the bank, no-one else has full credentials. The accountants, revenue service, back-ups, et al., get something like "<amnount> charged to <CC company (Visa/MC/etc.)> number xxxx-xxxx-xxxx-<last four> by <merchant> on <date>" not a lot that can be done with that.

0
0
This topic is closed for new posts.

Forums