Wednesday, August 5, 2009

Using a Drive-Thru Display to Steal Credit Card Numbers

We've all pulled up to the massive drive-thru board at our favorite fast food restaurant and been squawked at from the loudspeaker, yelled our order in response, then pulled up to the window to pay for our heat-lamped, paper-wrapped, food-like substances. Little did we know that the whole system might be vulnerable to exploits that could result in customer credit card numbers being illegally harvested.

Network World has the details of how Rick Lawhorn was waiting in the drive-thru line when the display crashed, and a bunch of code popped up on the screen. Like all true geeks, he snapped a picture of the display with his cell phone for later examination.

When Lawhorn used the Google to search for some of the code snippets, he uncovered some disturbing details, such as how the system should be configured to meet certain requirements, such as PCI.

The problem with the set-up he found is that it likely cuts against some basic security requirements concerning network segmentation and wireless devices.

The code revealed configuration details of the LAN running from the drive-thru display to the building, and indicated that the cable ran directly to the restaurant's point-of-sale system, where customer credit cards are entered.
Oops!

It's unlikely that hackers would try to steal credit card numbers using the cable running from the drive-thru display to the LAN within the restaurant, since most drive-thru setups don't have customers swipe their cards at the ordering board. But since the cable does connect to the LAN, it's a convenient way for the crooks to get access to the network and launch all sorts of attacks against the computers on the network, including those that could contain personal information and credit card data.

The level of IT sophistication associated with a typical franchised fast food establishment is such that it's unlikely such an exploit would be discovered short-term, which means a criminal could sit in the parking lot and sniff traffic for an extended period of time. Depending on how the network is segmented and firewalled, it might even be possible to breach other systems not physically located within the restaurant itself.

In light of the many data breaches still occurring among retailers of all types, this type of exploit would be low-hanging fruit for many, especially those associated with organized crime networks. You won't hear much about this in the months to come, but you can bet that a large number of IT security departments are reviewing their architectures and performing assessments to see if similar design defects exists in their configurations.

If they're secure, please give them a hot apple pie.

Image by iirraa via flickr


No comments:

Post a Comment

Please tell me what you think.