Foodies sue providers of hacked payment system A group of restaurants is demanding millions of dollars in damages from two companies accused of selling point-of-sale terminals that exposed customer data to criminal hackers. In a complaint filed in Louisiana state court, the restaurants claim the Aloha POS software manufactured by Georgia-based Radiant Systems failed to …
Why do tech equipment suppliers get away with supplying kit that's not fit for purpose?
- Why did noone hit by the Microsoft email viruses sue them for ignoring the security sections in the MIME RFCs and so opening the gates wide to them?
- Please please PLEASE can I get compensation from the suppliers of car and building alarms that go off every time there's a bit of wind&rain!
... etcetera.
Good to hear someone is taking action, albeit in a distant country and over a relatively obscure matter!
This is exactly what should happen in this case. They end user had a good faith effort to have a secure environment through a vendor. The vendor stated they were compliant with PCI standards, which has been proven to be false.
The end user paid their victims back for their charges, and now seek to be made whole from their vendor. The POS company and vendor have no one to blame but themselves for this one.
Having done professional audits, I was always very careful, knowing that my written report was relied on. I didn't dare put anything in that could not be proven in a court of law or sign something off to make someone's life easier.
Turned out that sometimes such reports did get read, and the auditors report was enough to get the budget to fix the problems. Point being when a customer is paying someone to say they are 'ok', you are now taking responsibility that they are in fact 'ok'.
"What we can say is that <insert Name> takes data security very seriously"
How many time have we heard that in the UK!
I hope they get sued so badly they go bust, just for their utter arrogance in saying the above sentance. Their terminals have proved non compliant yet they still spout this marketing drivel.
I have lost count of the number of compainies I have been to where all the credit card data is stored including cv2 digits... there really needs to be a hotline for reporting the stupid companies who think this is good practice...
This includes various third party software systems also these people should know better!
The PCI compliance program is very stringent. If someone is not compliant they mat lose their ability to process that particular brand of card (MasterCard, Visa, etc.). I didn't bother looking for any kind of contact information but I'm sure there is a way you could report these issues to the card companies anonymously. I work in a retail company now but used to work in a hospital for many years. The staff here gets just as anxious about PCI audits as hospital staff used to be about HIPAA compliance. I mean even the software industry has the BSA. I'm sure the card companies would be interested in hearing these stories because the fraud obviously costs them and their business partners money.
"criminal hackurs"? What a convoluted way to say "electronic theft". But aside from that, the credit card security system is laughable on its face. To "pay" you hand over all the credentials to the merchant, who combines the whole thing with a nice fat bill to send it off to some third party processor. Then it suddenly doesn't matter that one of the numbers was written on the backside of the card. You've just given them all away. All. Of. Them. Like giving your PIN to your CHIP+PIN card away, only now it's a fundamental requirement of the transaction. Any party to the transaction with a copy of the information is a viable target for a thief.
How many parties? Well, it starts with you. Then there's the merchant, his payment processor, the cc company, your bank, maybe their payment processors too. Everyone will (well, should, duh) have backups that may or may not be encrypted and could be accidentally lost on the way to or from the off-site backup storage, by courier, both of which in turn are another company. Who else has access? Hm, what about accountants and even the revenue service? I'm sure I forgot a few. And that is when everything goes just peachy fine. If the paper trail wasn't enough already, this would be reason enough for me to not have a credit card.
I ask of you, how would you propose a card/chip based transaction that does not include every detail needed to verify it?
The trick to this, and where Aloha fell down, was that the credentials are stored very temporarily in volatile memory. The processing company stores the credentials somewhat more permanently (in a queue) but still with a TTL measured in minutes to fractional hours, and behind a much more robust security system, usually with encryption.
I'm not sure where you got the idea of backups of full creds from, at most the backups are of a summarized, redacted set to ID the transaction, but not enough to duplicate the transaction, or create another one. Other than you (on the card/chip) the PoS terminal, the processing co., and the bank, no-one else has full credentials. The accountants, revenue service, back-ups, et al., get something like "<amnount> charged to <CC company (Visa/MC/etc.)> number xxxx-xxxx-xxxx-<last four> by <merchant> on <date>" not a lot that can be done with that.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
