| By Peter Silva | Article Rating: |
|
| September 14, 2011 08:15 AM EDT | Reads: |
792 |
Just when you were having all that fun running around the waterpark and playing those arcade games comes news that the card processing system of Vacationland Vendors Inc., a Wisconsin Dells firm that supplies arcade games and installs vending machines, was breached. From the notice on their website, they say, ‘Vacationland Vendors recently discovered that an unauthorized person wrongfully accessed certain parts of the point of sales systems that Vacationland Vendors uses to process credit and debit transactions at the Wilderness Resorts.’ Up to 40,000 debit or credit cards that were used in the arcades any time between December 2008 to May 2011 at the Wilderness Waterpark Resort near Wisconsin Dells and a companion resort in Tennessee are potentially compromised. The hackers, according to Vacationland Vendors, improperly acquired credit card and debit information and around 20 accounts have shown irregular activity. Reservation and restaurant transactions were not involved in the breach, only the point-of-sale devices. Malware was the apparent culprit.

Point-of-sale devices and the networks they are connected to are often the target of malicious hackers. These ‘kiosks’ are typically unattended and might be in locations where observation is limited. A couple years ago, Target’s breach was the result of hackers gaining access via the customer service kiosks and the huge hit at Heartland Payment Systems, resulting in tens of millions of exposed credit and debit cards was from a breach of the company’s point-of-sale network. After successful installation of malicious software, thieves are able to sniff and intercept payment card data as the information is transmitted within the internal network or to the bank for authorization. It might not even be encrypted as it travels. If it was, then the crooks wouldn’t have the info. Many people may think these kiosk point-of-sale devices are safe since it is taking credit card data and merchants need to be PCI compliant. While the overall deadline for PCI 1.2 compliance was a couple years ago (and PCI 2.0 at the end of this year), the deadline for unattended point-of-sale devices was July 2010, a little over a year ago. That’s why you’ve seen a whole slew of new gas station pumps at your favorite fueling stations and just like regular compliance, it’s going to take time to update all the point-of-sale devices. Now, I’m not insinuating that the arcade devices were not PCI compliant since nothing has been reported about that, but what I am saying is be careful with those since you may not know if it is or not. If it looks a few years old, then most likely, it is not.
With this and other similar point-of-sale breaches, many security experts (and even the Heartland CEO) believe end-to-end encryption is necessary, even if transmitting on the internal network, from the time the card is swiped all the way until the data reaches the the processor or bank. Many credit card swipe terminal vendors are building encryption into the hardware itself and F5 can help keep that information encrypted while it’s travelling the great unknown. Our BIG-IP APM and BIG-IP Edge Gateway (voted Best Secure Remote Access Product by TechTarget Readers) can easily encrypt any traffic, internal or external. Heck, even a couple BIG-IP LTM running our latest v11 code can initiate a secure tunnel between them, creating an instant, secure WAN connection.
With the advent of credit card swiping capabilities on mobile phones now in full force, I’m not sure if this is going to get better or worse. The terminal might be fine but if you install a hacked mobile payment app, then you can skim credit card info like the pros. Remember, humans will often trade privacy for convenience.
ps
Related blogs & articles:
- Vending machine company announces major data breach
- Vending Company Reports Significant Data Breach
- Security breach affects card users tied to Wilderness arcade
- Vacationland Vendors Notice
- Encryption Anywhere and Everywhere
- Will you Comply or just Check the Box?
- PCI Turns 2.0
- CloudFucius Wonders: Can Cloud, Confidentiality and The Constitution Coexist?
- Identity Theft Resource Center
Technorati Tags: F5, PCI DSS, virtualization, cloud computing, Pete Silva, security, cloud, credit card, compliance, web, internet, cybercrime, holiday shopping, identity theft,
| Connect with Peter: | Connect with F5: |
Read the original blog entry...
Published September 14, 2011 Reads 792
Copyright © 2011 Ulitzer, Inc. — All Rights Reserved.
Syndicated stories and blog feeds, all rights reserved by the author.
More Stories By Peter Silva
Peter Silva covers security for F5’s Technical Marketing Team. After working in Professional Theatre for 10 years, Peter decided to change careers. Starting out with a small VAR selling Netopia routers and the Instant Internet box, he soon became one of the first six Internet Specialists for AT&T managing customers on the original ATT WorldNet network.
Now having his Telco background he moved to Verio to focus on access, IP security along with web hosting. After losing a deal to Exodus Communications (now Savvis) for technical reasons, the customer still wanted Peter as their local SE contact so Exodus made him an offer he couldn’t refuse. As only the third person hired in the Midwest, he helped Exodus grow from an executive suite to two enormous datacenters in the Chicago land area working with such customers as Ticketmaster, Rolling Stone, uBid, Orbitz, Best Buy and others.
Bringing the slightly theatrical and fairly technical together, he covers training, writing, speaking, along with overall product direction and evangelism for F5’s security line. Prior to joining F5, he was the Business Development Manager with Pacific Wireless Communications. He’s also been in such plays as The Glass Menagerie, All’s Well That Ends Well, Cinderella and others. He earned his B.S. from Marquette University, and is a certified instructor in the Wisconsin System of Vocational, Technical & Adult Education.
- Most Powerful Voices in Security
- Externalizing Fine-Grained Authorization from Applications
- IBM Buying i2
- Why Developers Should Demand Web App Firewalls
- Security Never Takes a Vacation
- The STAR of Cloud Security
- Zero-Day Apache Exploit? Zero-Problem
- HP Expands Security Portfolio
- Alert Logic & SunGard Partner to Deliver Security & Compliance Solutions
- Things You May or May Not Know About Linux “find” Command
- Say “Auf Wiedersehen!” to Data Privacy Concerns
- The Infrastructure 2.0 - Security Connection
- Most Powerful Voices in Security
- IT Looks to Open Trusted Technology Forum to Help Secure Supply Chains
- Externalizing Fine-Grained Authorization from Applications
- The Development of a Perl-based Password Complexity Filter
- IT Security: Mid-Year Gut Check
- Eliminating the Blind Spot in Your Data Center Security Strategy
- Metasploit Nessus Bridge on Ubuntu
- IBM Buying i2
- RDP Exploitation Using Cain
- Linux: Secure as a Brick
- Adobe Sued After Buying EchoSign
- Dani Gets 30 Months in the Slammer
- Blending Discovery, Governance, Security, and Management in SOA
- Unisys President To Keynote Cloud Computing Expo
- Exclusive Q&A with Rich Marcello - Unisys President, Systems & Technology
- Viewpoint: Seven Technical Security Benefits of Cloud Computing
- Unisys Named “Platinum Sponsor” of Cloud Computing Expo
- Show Report: Reality Check at 4th Cloud Expo
- CIA was Headed to an Enterprise Cloud All Along: Jill Tummler Singer
- Deputy CIO of the CIA to Keynote 1st Annual GovIT Expo
- Open Letter to the President of Syria Bashar al-Assad
- 1st Annual Government IT Conference & Expo: Themes & Topics
- A Security Analysis of Cloud Computing
- Microsoft’s First Cloud Server Hits Public Beta



































Ulitzer content is offered under Creative Commons "Attribution Non-Commercial No Derivatives" License.
For any reuse or distribution, you must make clear to others the license terms of this work.
The best way to do this is with a link to this web page.
Any of the above conditions can be waived if you get written permission from Ulitzer, Inc., the copyright holder.
Nothing in this license impairs or restricts the author's moral rights.