Educause Security Discussion mailing list archives
Re: POint of Sale Device
From: Jim Dillon <Jim.Dillon () CUSYS EDU>
Date: Fri, 11 May 2007 10:03:41 -0600
Speaking from not-so-hypothetical experience a text reader like NOTEPAD works just find to read the log files that may record clear-text transactions. Spider - do a search. Maybe some old DOS level GREP like tools? Anybody but me still keep these around? The rumors you mention I can't quite speak to, but second hand knowledge of real events - several similar situations I'm familiar with, and each was a clear text log file that preserved transaction elements, and each was on a system that wasn't "supposed" to store CC#s locally. No great mystery. Now there may be more complicated mechanisms and some that are encrypted files and/or other things, but many take no special skill or insight, just look into the application file path and read the logs. Now you know how the stupid auditors like me actually find things - because the problem is typically so fundamental and the developer/administrator effort made to assess the risk so pitifully weak. No rocket science that's for sure. (And really, we aren't ALL that stupid...!) Don't trust the vendor representation. In a couple of cases I'm close to the vendors indicated the systems were clean. Sure, no data was stored locally, but even the vendors didn't mention the log files. In one case I'm aware of management thought their edict against storing CC#s would be sufficient. Their internal folks didn't read their own internally created/custom log files either. These observations are over time, and my experiences include 3 industries, not just Higher Ed, the root cause is as simple and basic as ABCs. Programmers, developers, and those charged with implementing systems are typically encouraged to get things working, not to be concerned with the security of things, so they never bother to verify/validate/assess. Most get dinged for taking a day longer than the minimum required, so a little extra diligence is negatively rewarded. Change in culture will eliminate a high percentage of these type of problems. Chances are high you will find similar things if you look at multiple POS systems in your domain. Have fun, heads turn, eyes roll, and many folks get really sheepish looks on their face when five minutes into an assessment you print out some CC#s and ask them how they may have missed these... The point is not to sufficiently embarrass the supposedly responsible, although that's effective, its to elevate the acknowledgement of the rudimentary value of basic security analysis in all things IT. Some day this attitude may finally hit the thought processes of the mid to C level managers of most businesses, but alas it is not today. Best regards, Jim ***************************************** Jim Dillon, CISA, CISSP IT Audit Manager, CU Internal Audit jim.dillon () cusys edu 303-492-9734 ***************************************** ________________________________ From: Gibson, Nathan J. (HSC) [mailto:Nathan-Gibson () OUHSC EDU] Sent: Thursday, May 10, 2007 12:15 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] POint of Sale Device Does anyone know of a tool/product that can be used to check a credit card point of sale device to make sure it does not store credit card information? To give you a picture of what I am talking about. Let say you walked into a gas station and purchased a soda with your CC. The attendant swipes your card in a little black box that sits on the edge of the counter. It does not tie into an application, just a device with a modem that sends the information to a bank for processing. I want to be able to check the device to make sure it is not storing information locally? Rumor has it, a University somewhere Colorado did this once and I wondered if anyone knows of any tools/solutions out there that could help. Any information about a solution/outside vendor would be greatly appreciated. V/R, Nathan J Gibson, CISSP
Current thread:
- POint of Sale Device Gibson, Nathan J. (HSC) (May 10)
- <Possible follow-ups>
- Re: POint of Sale Device Bill Ogle (May 10)
- Re: POint of Sale Device Valdis Kletnieks (May 11)
- Re: POint of Sale Device Jim Dillon (May 11)
- Re: POint of Sale Device Gibson, Nathan J. (HSC) (May 11)
- Re: POint of Sale Device Duksta, John C. (May 17)
- Re: POint of Sale Device Hull, Dave (May 18)
- Re: POint of Sale Device Clyde Valdez (May 18)