As companies like Target and Home Depot begin to clean up their credit card protecting acts, the cyber thieves are moving on to a different class of victim.
This week, Service Systems Associates acknowledged that they had been hacked and as a result, some of their clients systems were compromised.
How this works is this:
Let’s say a small business, in this case a Zoo gift shop, wants a snazzy point of sale system to keep track of inventory and collect sales data and such. They consider the cost to support such a system, which is not insignificant, and they decide this is a great thing to outsource.
They go to a company like Service Systems Associates. Among other services like running your zoo cafeteria, SSA will manage that POS system for you – like adding new items, updating the software and such. For this, they charge a monthly fee. Of course, SSA doesn’t want to have to send someone out to your zoo to do this work, so they access it remotely.
The problem is that no one at the zoo is a security expert – except maybe when it comes to keeping the tigers in their enclosures – so they didn’t ask “how, exactly, do you secure this remote connection?” Likely, they use one of the many commercial or open source remote control software packages and protect it with a userid and password. Many vendors use the same userid and password for all of their customers – that makes life easy for them and those connections are open 24/7.
While SSA is not handing out many details other than the period when their customer’s customers were vulnerable (March 23 to June 25), what likely happened is that one of their people got hacked, maybe by a phishing attack. That person stored the password to SSA’s customer systems insecurely. Alternatively, once that person got phished, the attacker installed a keystroke logger and captured the userid and password that way.
What does appear to be true is that SSA did not do what would be a reasonable practice – and which customers should insist on – and that is to use two factor authentication. That way, if the password got compromised, the attacker could not log in to their customer’s systems.
While two factor authentication is not bullet proof, it certainly is significantly more bullet resistant than a userid and password.
From a hacker’s standpoint, going after vendors like SSA is way more lucrative than going after any one zoo and probably about as difficult.
Just one more reason why you need to include cyber due diligence as part of your vendor selection process.
Krebs lists the zoos that were likely affected in his article, but they are all over the country from San Francisco to Baltimore.
Information for this post came from Krebs On Security.