How Free Wi-Fi Can Shut Down A Restaurant
Written by Todd L. MichaudFranchisee Columnist Todd Michaud has spent the last 16 years trying to fight IT issues, with the last six years focused on franchisee IT issues. He is currently responsible for IT at Focus Brands (Cinnabon, Carvel, Schlotzsky’s and Moe’s Southwestern Grill).
Someone with a Secret Service badge has just informed you that she believes credit card numbers are being stolen from your restaurant by a European organized crime ring. That person says it is because you plugged your wireless access point into the wrong port. Angry people are standing across the counter; their bank accounts have been drained, and they are accusing you of stealing their rent money. Visa is saying that you have to pay $12,000 for a forensic audit of your POS. All because you wanted to offer free wireless.
In the wake of Sam’s Club this week adding its name to major chains now supporting free customer Wi-Fi, this is no longer a cutting edge experimental endeavor. Let’s back up about 18 months, when you made the decision to install a wireless hotspot for guests. At the time, you were feeling pressure to keep up with the other area restaurants that were stealing away your customers because they had wireless and you didn’t. After talking to your nephew Steve, who studied computers in school, you decided to implement wireless in your store and it was pretty easy. You went to Best Buy, picked up a wireless access point for less than $100, came back, plugged it into the DSL modem and followed the directions. You had it up and running in under an hour. Remember how you were so proud of yourself?
Then, after a few months, the service stopped working. Guests started to complain. When you went into the back to investigate, you found your office shelf a mess. Wires were everywhere, and you saw a bunch of unidentified electronics. You think one piece might be for the old cable modem. And at least one runs the music, while another is for the TV and a third goes with the video cameras. You reach behind what you believe is the DSL router and start rebooting things. It doesn’t fix the problem, so you start looking at cables to make sure they are plugged in all the way. Maybe one was loose. Where did that one go again?
After half an hour, you give up. Steve isn’t around, so you grab one of the kids who works the register and is always talking to his friends on Facebook on his phone (instead of working) and ask him to fix it. He messes around for a while and eventually connectivity is restored. Phew. Thankfully. But the kid doesn’t say what did the trick, and you don’t ask. You’re just happy to be back up and running again. Little did you know that this moment in time may cause you to lose your life savings and shut down your restaurant.
Why? Because what that helpful crew member didn’t say was that he got the wireless to work by:
- Unplugging the firewall.
- Changing the firewall rules.
- Moving it to the POS network.
- Or who knows what else.
Stuff like this happens every single day. Restaurant operators feel the pressure to offer wireless service because it has become an industry standard. But they often have little idea of how to either properly set it up or maintain it.
-Marc
August 12th, 2010 at 9:57 am
Todd,
Since I have many years of experience in this area especially with pay at the table since my company was the first to make the breakthrough in successfully integrating the very first 802.11b payment terminal to an enterprise level POS system long before PCI, before anyone thought it could be done and to read that this is still taking is amazing.
So I am asking myself several questions based on your article.
Why is the POS plugged into a wireless router to begin with? I cannot think of any reason even for a small operation to do so, even for IP connectivity and does this not bring up a whole lot of issues for the MSP, would they not have exposure since I am assuming that the merchant is using the POS to conduct payment transactions for processing CC and DC. But again why even have the POS plugged into a wireless router in the first place it makes no sense and there is really no reason for doing so, why not a direct connection and too think that the merchant does not have some minimal firewall protecting the POS is again amazing. I think the real question this brings up who dropped the ball because there is exposure here and if there is a breach than the blame game will kick in count on it.
Back in 05 we discovered a number of flaws to the available Wi-Fi technology the biggest was .11b was weak and that only a WPA2 EAP/AES commercial rated router (which were just coming out and the Wi-Fi Alliance Association had a number of security recommendations as well) would be at that point in time able to ward off intrusions from sniffers.
Another flaw we found that those chains that used a frame relay system that by installing a WAP into the system opened an exposed port that could be exploited. But in all of these cases they were enterprise level POS systems not single store stand alone operations.
I find your article disturbing in as much the technology has advanced tremendously in the last 5 years and to think that this kind of recklessness is still taking place is remarkable and not to mention that PCI has now become more mainstream and regardless of the classification of the merchant the supply cahin should all be well versed in the requirements.
Guess we still have a ways to go.
Wayne Steiger
August 12th, 2010 at 11:29 am
Technology moves at a much more rapid pace than our culture can adapt. And much faster than any individual.
We’ll still be seeing things like this 10 years from now, unfortunately. Shoot, supply chain best practices call for automation of orders, invoices and ship notices between buyers and sellers, yet many are not automated today – even though the technology has 30 years of maturation behind it. Companies not automating are losing money to manual efforts, keystroke errors, and non-compliance.
If people fully appreciated the complexity and the risks lots fewer stores would be offering free WiFi. It is more costly up front than it looks to do it right – and is potentially devastatingly costly when done wrong.
I guess we should chalk this up as survival of the fittest in the franchise space.
Bryan Larkin
August 12th, 2010 at 11:33 am
Would it make more sense to have the Franchise offer Wireless as a managed service? In other words, if the Franchise ownwer wants to offer free WiFi to compete with the shop across the street, then order the ‘kit’ with a set hardware and configuration and broadband service from the Franchise (or a recommended 3rd party provider)?
August 12th, 2010 at 1:15 pm
Richard,
I think that is a great way to handle it – especially if the franchise is concerned that it may get caught up in the risk of its franchisee.
August 12th, 2010 at 3:36 pm
More information about the biological effects of non-ionizing radiation from wireless technology is coming out every day. Enough is not being done by cities, counties, states and the Federal Government to protect us from the potentially devastating health and environmental effects. Through the 1996 telecommunications act the telecoms are shielded from liability and oversight. Initially cell phones were released with no pre-market safety testing despite the fact the Government and the Military have known for over 50 years that radio frequency is harmful to all biological systems (inthesenewtimes dot com/2009/05/02/6458/.). Health studies were suppressed and the 4 trillion dollar a year industry was given what amounts to a license to kill.
On it’s face, the 1996 telecommunications act is unconstitutional and a cover-up. Within the fine print city governments are not allowed to consider “environmental” effects from cell towers. They should anyway! It is the moral and legal obligation of our government to protect our health and welfare? Or is it? When did this become an obsolete concept? A cell tower is a microwave weapon capable of causing cancer, genetic damage & other biological problems. Bees, bats, humans, plants and trees are all affected by RF & EMF. Communities fight to keep cell towers away from schools yet they allow the school boards to install wi fi in all of our schools thereby irradiating our kids for 6-7 hours each day. Kids go home and the genetic assault continues with DECT portable phones, cell phones, wi fi and Wii’s. A tsunami of cancers and early alzheimer’s await our kids. Young people under the age of 20 are 420% more at risk of forming brain tumors (Swedish study, Dr. Lennart Hardell) because of their soft skulls, brain size and cell turn over time. Instead of teaching “safer” cell phone use and the dangers of wireless technology our schools mindlessly rush to wireless bending to industry pressure rather than informed decision making. We teach about alcohol, tobacco, drugs and safe sex but not about “safer” cell phone use. We are in a wireless trance, scientists are panicking while young brains, ovaries and sperm burns.
August 12th, 2010 at 3:48 pm
I think that in cases where the Franchisor deploys a solution (or offers a solution) to the chain is a great way to cover the bases, but a lot of the mid-to-small chains haven’t gone down that path. Many franchisor’s intentionally do not want to be an IT service provider to their franchisees, so their best option would be to negotiate a contract/package with a 3rd party provider. But if the brand does not take the lead, it leaves the franchisee to do their own thing and things like this happen.
This is further complicated by the fact that many of the companies offering these services were startups that closed their doors after being open only a few months. Even though the company went out of business, the technology is still in place at the restaurant (I have many examples of this)
Wayne, as far as how it happens, this POS->WAP->DSL scenario is often done (at least I think) because it mirrors the configuration that people have in their home. (PC->WAP->DSL)
Many franchisees wrongly believe that being PCI compliant means having PA-DSS POS software. They believe that if their POS is compliant, they are compliant.
Since the PCI Council does not require the Level 4 Merchants to submit a self assessment questionnaire or receive quarterly scans, they may not even know they have a problem.
Note: Some Acquirer’s require this of their Level 4 merchants, but not all do.
August 13th, 2010 at 8:49 am
This is a weak link in the chain. I bet that the council, in the next set of updates, will begin to take a close look at this issue but implementing it will be another matter altogether. One thing is for sure: If the hackers know there is a weakness, they will begin to exploit it. Many already have.
August 28th, 2010 at 10:49 pm
We walk into businesses every single day that have even the ISP leaving their modem/router/AP combo device completely open. It’s amazing the number of times we have been able to demonstrate complete control of their network from something as simple as my Nokia cell phone. We maintain PCI compliance for our clients by having our hardware logically segregate all internet traffic using stateful firewall rules as set out by PCI requirements, ie. a complete LAN block for public users. For our larger franchisees we physically segregate our AP from the internal network. I’m not familiar with ISPs in the US but here in Canada most of them provide two IP addresses by default to commercial lines. We simply throw a tiny 5-port switch between their existing router and the modem and we add our AP on to the switch. This gives one IP to their network and one to ours and there is no chance of crossover, as if a separate line was in place. I think that this is the best practice, however, for a small “mom-and-pop shop” operation it isn’t always practical, nor necessary. Hopefully in the next couple of years most of the major franchises will be educated enough to deal with this type of issue right out the gates.