advertisement
advertisement

How Free Wi-Fi Can Shut Down A Restaurant

Written by Todd L. Michaud
August 12th, 2010

Franchisee Columnist Todd Michaud has spent the last 16 years trying to fight IT issues, with the last six years focused on franchisee IT issues. He is currently responsible for IT at Focus Brands (Cinnabon, Carvel, Schlotzsky’s and Moe’s Southwestern Grill).

Someone with a Secret Service badge has just informed you that she believes credit card numbers are being stolen from your restaurant by a European organized crime ring. That person says it is because you plugged your wireless access point into the wrong port. Angry people are standing across the counter; their bank accounts have been drained, and they are accusing you of stealing their rent money. Visa is saying that you have to pay $12,000 for a forensic audit of your POS. All because you wanted to offer free wireless.

In the wake of Sam’s Club this week adding its name to major chains now supporting free customer Wi-Fi, this is no longer a cutting edge experimental endeavor. Let’s back up about 18 months, when you made the decision to install a wireless hotspot for guests. At the time, you were feeling pressure to keep up with the other area restaurants that were stealing away your customers because they had wireless and you didn’t. After talking to your nephew Steve, who studied computers in school, you decided to implement wireless in your store and it was pretty easy. You went to Best Buy, picked up a wireless access point for less than $100, came back, plugged it into the DSL modem and followed the directions. You had it up and running in under an hour. Remember how you were so proud of yourself?

Then, after a few months, the service stopped working. Guests started to complain. When you went into the back to investigate, you found your office shelf a mess. Wires were everywhere, and you saw a bunch of unidentified electronics. You think one piece might be for the old cable modem. And at least one runs the music, while another is for the TV and a third goes with the video cameras. You reach behind what you believe is the DSL router and start rebooting things. It doesn’t fix the problem, so you start looking at cables to make sure they are plugged in all the way. Maybe one was loose. Where did that one go again?

After half an hour, you give up. Steve isn’t around, so you grab one of the kids who works the register and is always talking to his friends on Facebook on his phone (instead of working) and ask him to fix it. He messes around for a while and eventually connectivity is restored. Phew. Thankfully. But the kid doesn’t say what did the trick, and you don’t ask. You’re just happy to be back up and running again. Little did you know that this moment in time may cause you to lose your life savings and shut down your restaurant.

Why? Because what that helpful crew member didn’t say was that he got the wireless to work by:

  • Unplugging the firewall.
  • Changing the firewall rules.
  • Moving it to the POS network.
  • Or who knows what else.

Stuff like this happens every single day. Restaurant operators feel the pressure to offer wireless service because it has become an industry standard. But they often have little idea of how to either properly set it up or maintain it.


advertisement

8 Comments | Read How Free Wi-Fi Can Shut Down A Restaurant

  1. Wayne Steiger Says:

    Todd,

    Since I have many years of experience in this area especially with pay at the table since my company was the first to make the breakthrough in successfully integrating the very first 802.11b payment terminal to an enterprise level POS system long before PCI, before anyone thought it could be done and to read that this is still taking is amazing.

    So I am asking myself several questions based on your article.

    Why is the POS plugged into a wireless router to begin with? I cannot think of any reason even for a small operation to do so, even for IP connectivity and does this not bring up a whole lot of issues for the MSP, would they not have exposure since I am assuming that the merchant is using the POS to conduct payment transactions for processing CC and DC. But again why even have the POS plugged into a wireless router in the first place it makes no sense and there is really no reason for doing so, why not a direct connection and too think that the merchant does not have some minimal firewall protecting the POS is again amazing. I think the real question this brings up who dropped the ball because there is exposure here and if there is a breach than the blame game will kick in count on it.

    Back in 05 we discovered a number of flaws to the available Wi-Fi technology the biggest was .11b was weak and that only a WPA2 EAP/AES commercial rated router (which were just coming out and the Wi-Fi Alliance Association had a number of security recommendations as well) would be at that point in time able to ward off intrusions from sniffers.

    Another flaw we found that those chains that used a frame relay system that by installing a WAP into the system opened an exposed port that could be exploited. But in all of these cases they were enterprise level POS systems not single store stand alone operations.

    I find your article disturbing in as much the technology has advanced tremendously in the last 5 years and to think that this kind of recklessness is still taking place is remarkable and not to mention that PCI has now become more mainstream and regardless of the classification of the merchant the supply cahin should all be well versed in the requirements.

    Guess we still have a ways to go.

    Wayne Steiger

  2. Bryan Larkin Says:

    Technology moves at a much more rapid pace than our culture can adapt. And much faster than any individual.

    We’ll still be seeing things like this 10 years from now, unfortunately. Shoot, supply chain best practices call for automation of orders, invoices and ship notices between buyers and sellers, yet many are not automated today – even though the technology has 30 years of maturation behind it. Companies not automating are losing money to manual efforts, keystroke errors, and non-compliance.

    If people fully appreciated the complexity and the risks lots fewer stores would be offering free WiFi. It is more costly up front than it looks to do it right – and is potentially devastatingly costly when done wrong.

    I guess we should chalk this up as survival of the fittest in the franchise space.

    Bryan Larkin

  3. Richard Nedwich Says:

    Would it make more sense to have the Franchise offer Wireless as a managed service? In other words, if the Franchise ownwer wants to offer free WiFi to compete with the shop across the street, then order the ‘kit’ with a set hardware and configuration and broadband service from the Franchise (or a recommended 3rd party provider)?

  4. Bryan Larkin Says:

    Richard,

    I think that is a great way to handle it – especially if the franchise is concerned that it may get caught up in the risk of its franchisee.

  5. david Says:

    More information about the biological effects of non-ionizing radiation from wireless technology is coming out every day. Enough is not being done by cities, counties, states and the Federal Government to protect us from the potentially devastating health and environmental effects. Through the 1996 telecommunications act the telecoms are shielded from liability and oversight. Initially cell phones were released with no pre-market safety testing despite the fact the Government and the Military have known for over 50 years that radio frequency is harmful to all biological systems (inthesenewtimes dot com/2009/05/02/6458/.). Health studies were suppressed and the 4 trillion dollar a year industry was given what amounts to a license to kill.
    On it’s face, the 1996 telecommunications act is unconstitutional and a cover-up. Within the fine print city governments are not allowed to consider “environmental” effects from cell towers. They should anyway! It is the moral and legal obligation of our government to protect our health and welfare? Or is it? When did this become an obsolete concept? A cell tower is a microwave weapon capable of causing cancer, genetic damage & other biological problems. Bees, bats, humans, plants and trees are all affected by RF & EMF. Communities fight to keep cell towers away from schools yet they allow the school boards to install wi fi in all of our schools thereby irradiating our kids for 6-7 hours each day. Kids go home and the genetic assault continues with DECT portable phones, cell phones, wi fi and Wii’s. A tsunami of cancers and early alzheimer’s await our kids. Young people under the age of 20 are 420% more at risk of forming brain tumors (Swedish study, Dr. Lennart Hardell) because of their soft skulls, brain size and cell turn over time. Instead of teaching “safer” cell phone use and the dangers of wireless technology our schools mindlessly rush to wireless bending to industry pressure rather than informed decision making. We teach about alcohol, tobacco, drugs and safe sex but not about “safer” cell phone use. We are in a wireless trance, scientists are panicking while young brains, ovaries and sperm burns.

  6. Todd Michaud Says:

    I think that in cases where the Franchisor deploys a solution (or offers a solution) to the chain is a great way to cover the bases, but a lot of the mid-to-small chains haven’t gone down that path. Many franchisor’s intentionally do not want to be an IT service provider to their franchisees, so their best option would be to negotiate a contract/package with a 3rd party provider. But if the brand does not take the lead, it leaves the franchisee to do their own thing and things like this happen.

    This is further complicated by the fact that many of the companies offering these services were startups that closed their doors after being open only a few months. Even though the company went out of business, the technology is still in place at the restaurant (I have many examples of this)

    Wayne, as far as how it happens, this POS->WAP->DSL scenario is often done (at least I think) because it mirrors the configuration that people have in their home. (PC->WAP->DSL)

    Many franchisees wrongly believe that being PCI compliant means having PA-DSS POS software. They believe that if their POS is compliant, they are compliant.

    Since the PCI Council does not require the Level 4 Merchants to submit a self assessment questionnaire or receive quarterly scans, they may not even know they have a problem.

    Note: Some Acquirer’s require this of their Level 4 merchants, but not all do.

  7. Wayne Steiger Says:

    This is a weak link in the chain. I bet that the council, in the next set of updates, will begin to take a close look at this issue but implementing it will be another matter altogether. One thing is for sure: If the hackers know there is a weakness, they will begin to exploit it. Many already have.

  8. Eric Warnke Says:

    We walk into businesses every single day that have even the ISP leaving their modem/router/AP combo device completely open. It’s amazing the number of times we have been able to demonstrate complete control of their network from something as simple as my Nokia cell phone. We maintain PCI compliance for our clients by having our hardware logically segregate all internet traffic using stateful firewall rules as set out by PCI requirements, ie. a complete LAN block for public users. For our larger franchisees we physically segregate our AP from the internal network. I’m not familiar with ISPs in the US but here in Canada most of them provide two IP addresses by default to commercial lines. We simply throw a tiny 5-port switch between their existing router and the modem and we add our AP on to the switch. This gives one IP to their network and one to ours and there is no chance of crossover, as if a separate line was in place. I think that this is the best practice, however, for a small “mom-and-pop shop” operation it isn’t always practical, nor necessary. Hopefully in the next couple of years most of the major franchises will be educated enough to deal with this type of issue right out the gates.

Newsletters

StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!
advertisement

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

StorefrontBacktalk
Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.