"Four Romanian nationals have been charged with hacking card-processing systems at more than 150 Subway restaurants and 50 other unnamed retailers, according to an indictment unsealed Thursday ... The hackers allegedly scanned the internet to identify vulnerable POS systems with certain remote desktop software applications installed on them, and then used the applications to log into the targeted POS system, either by guessing the passwords or using password-cracking software programs."
Which begs the obvious question: why would anyone put their Point Of Sale systems on the Internet, with remote desktop software to boot? The answer presumably involves the millions of retail outlets that don't have an in-house IT function but rely on external 'point of sale IT specialists' to install, manage and maintain their card readers and often the electronic tills, accounting and stock management systems.
I wonder if the mom-n-pop retailers are sufficiently aware of information security to even be concerned about the implications of outsourcing their IT in this way? Do they get the Point Of Security?
I wonder if the Subway group offers IT support to its franchisees, or recommends/uses local POS IT people?
The POS IT specialists, meanwhile, presumably have the expertise either to do their jobs well and protect their customers (and their customers) or to pull the wool over their customers' eyes. I wonder how many manage to slip right under the PCI-DSS radar?
