This is page 2 of:
How Free Wi-Fi Can Shut Down A Restaurant
Such a seemingly little thing can have such a disastrous impact. This fictitious scenario assumes the wireless access was set up correctly in the first place, which I would venture to guess is not accurate in many cases. Even if someone who knew what he was doing set it up, it is unlikely to be in the same state a few months later. Stuff happens.
I can’t tell you how many restaurants I have visited that has POS plugged into a wireless router plugged into a DSL modem. No firewall in place; wide-open wireless access settings. It is by far the “easiest” way to get all the components to “work.”
When I ask an operator about the setup and why the shop doesn’t have a firewall, that person says, “We do have one!” And I am shown a box clearly stating that this little beauty-of-a-device is a “Router/Firewall/Wireless Access Point.” I then ask, “Have you configured the firewall rules?” The response: “Uhhhhh. What rules?”
Silly or not, even the formatting of the PCI Council’s self-assessment questionnaire (SAQ) can come into play. If you look very closely at the SAQ-C, Requirement 1 is listed as “Install and maintain a firewall.” I have had more than one person repeat that to me. The problem is, that’s not the entire requirement; there is an awkward line break. The actual requirement says “Install and maintain a firewall configuration to protect cardholder data.” Configured or not, our fictitious restaurant has a firewall in place, so management thinks it can check that particular SAQ box.
So what can operators do to make sure this problem doesn’t happen to them?
- Keep wireless guest access separate from the POS network. Get a second DSL line or use a cellular-based wireless access point (like MiFi) instead.
- Create a drawing that shows how things are connected. Make sure that drawing is as detailed as possible.
- Label the ends of all wires. It can be as simple as masking tape wrapped around the ends, but clearly call out where each end of each cable is “supposed to be” plugged in.
- Keep cables neat and organized. Use cable ties or zip ties or even electrical tape. The more tangled the wires are, the more chance for error.
- Label each piece of equipment with its purpose and who supports it, along with that person’s phone number. Remove any equipment no longer in use.
- As silly as it sounds, put electrical tape over unused ports on a router or modem. It may stop someone from accidentally plugging in something.
- Have an IT person periodically look things over and make sure everything is OK. Use someone you trust, not just a kid from down the street.
- If you have to guess at anything, STOP! If you are not sure what a device does, talk to someone who can help you out. Guessing can get you into a lot of trouble.
Although these pointers will help, being compliant ultimately comes down to understanding that the IT systems in a restaurant are critical and should be treated with care. One small configuration error can have a dramatic impact on the business.
What do you think? Leave a comment, or E-mail me at Todd.Michaud@FranchiseIT.org. You can also follow me on Twitter: @todd_michaud.
A bike crash and a nagging case of shin splints have really slowed down my Ironman training. Read more at www.irongeek.me.
Term Of The Week: “Free CriFi”–a pun on “Free Wi-Fi” describing when wireless access is set up to allow criminals easy access to credit card data. “I was able to snag those dumps using their free CriFi. Holla!”
-Marc
August 12th, 2010 at 9:57 am
Todd,
Since I have many years of experience in this area especially with pay at the table since my company was the first to make the breakthrough in successfully integrating the very first 802.11b payment terminal to an enterprise level POS system long before PCI, before anyone thought it could be done and to read that this is still taking is amazing.
So I am asking myself several questions based on your article.
Why is the POS plugged into a wireless router to begin with? I cannot think of any reason even for a small operation to do so, even for IP connectivity and does this not bring up a whole lot of issues for the MSP, would they not have exposure since I am assuming that the merchant is using the POS to conduct payment transactions for processing CC and DC. But again why even have the POS plugged into a wireless router in the first place it makes no sense and there is really no reason for doing so, why not a direct connection and too think that the merchant does not have some minimal firewall protecting the POS is again amazing. I think the real question this brings up who dropped the ball because there is exposure here and if there is a breach than the blame game will kick in count on it.
Back in 05 we discovered a number of flaws to the available Wi-Fi technology the biggest was .11b was weak and that only a WPA2 EAP/AES commercial rated router (which were just coming out and the Wi-Fi Alliance Association had a number of security recommendations as well) would be at that point in time able to ward off intrusions from sniffers.
Another flaw we found that those chains that used a frame relay system that by installing a WAP into the system opened an exposed port that could be exploited. But in all of these cases they were enterprise level POS systems not single store stand alone operations.
I find your article disturbing in as much the technology has advanced tremendously in the last 5 years and to think that this kind of recklessness is still taking place is remarkable and not to mention that PCI has now become more mainstream and regardless of the classification of the merchant the supply cahin should all be well versed in the requirements.
Guess we still have a ways to go.
Wayne Steiger
August 12th, 2010 at 11:29 am
Technology moves at a much more rapid pace than our culture can adapt. And much faster than any individual.
We’ll still be seeing things like this 10 years from now, unfortunately. Shoot, supply chain best practices call for automation of orders, invoices and ship notices between buyers and sellers, yet many are not automated today – even though the technology has 30 years of maturation behind it. Companies not automating are losing money to manual efforts, keystroke errors, and non-compliance.
If people fully appreciated the complexity and the risks lots fewer stores would be offering free WiFi. It is more costly up front than it looks to do it right – and is potentially devastatingly costly when done wrong.
I guess we should chalk this up as survival of the fittest in the franchise space.
Bryan Larkin
August 12th, 2010 at 11:33 am
Would it make more sense to have the Franchise offer Wireless as a managed service? In other words, if the Franchise ownwer wants to offer free WiFi to compete with the shop across the street, then order the ‘kit’ with a set hardware and configuration and broadband service from the Franchise (or a recommended 3rd party provider)?
August 12th, 2010 at 1:15 pm
Richard,
I think that is a great way to handle it – especially if the franchise is concerned that it may get caught up in the risk of its franchisee.
August 12th, 2010 at 3:36 pm
More information about the biological effects of non-ionizing radiation from wireless technology is coming out every day. Enough is not being done by cities, counties, states and the Federal Government to protect us from the potentially devastating health and environmental effects. Through the 1996 telecommunications act the telecoms are shielded from liability and oversight. Initially cell phones were released with no pre-market safety testing despite the fact the Government and the Military have known for over 50 years that radio frequency is harmful to all biological systems (inthesenewtimes dot com/2009/05/02/6458/.). Health studies were suppressed and the 4 trillion dollar a year industry was given what amounts to a license to kill.
On it’s face, the 1996 telecommunications act is unconstitutional and a cover-up. Within the fine print city governments are not allowed to consider “environmental” effects from cell towers. They should anyway! It is the moral and legal obligation of our government to protect our health and welfare? Or is it? When did this become an obsolete concept? A cell tower is a microwave weapon capable of causing cancer, genetic damage & other biological problems. Bees, bats, humans, plants and trees are all affected by RF & EMF. Communities fight to keep cell towers away from schools yet they allow the school boards to install wi fi in all of our schools thereby irradiating our kids for 6-7 hours each day. Kids go home and the genetic assault continues with DECT portable phones, cell phones, wi fi and Wii’s. A tsunami of cancers and early alzheimer’s await our kids. Young people under the age of 20 are 420% more at risk of forming brain tumors (Swedish study, Dr. Lennart Hardell) because of their soft skulls, brain size and cell turn over time. Instead of teaching “safer” cell phone use and the dangers of wireless technology our schools mindlessly rush to wireless bending to industry pressure rather than informed decision making. We teach about alcohol, tobacco, drugs and safe sex but not about “safer” cell phone use. We are in a wireless trance, scientists are panicking while young brains, ovaries and sperm burns.
August 12th, 2010 at 3:48 pm
I think that in cases where the Franchisor deploys a solution (or offers a solution) to the chain is a great way to cover the bases, but a lot of the mid-to-small chains haven’t gone down that path. Many franchisor’s intentionally do not want to be an IT service provider to their franchisees, so their best option would be to negotiate a contract/package with a 3rd party provider. But if the brand does not take the lead, it leaves the franchisee to do their own thing and things like this happen.
This is further complicated by the fact that many of the companies offering these services were startups that closed their doors after being open only a few months. Even though the company went out of business, the technology is still in place at the restaurant (I have many examples of this)
Wayne, as far as how it happens, this POS->WAP->DSL scenario is often done (at least I think) because it mirrors the configuration that people have in their home. (PC->WAP->DSL)
Many franchisees wrongly believe that being PCI compliant means having PA-DSS POS software. They believe that if their POS is compliant, they are compliant.
Since the PCI Council does not require the Level 4 Merchants to submit a self assessment questionnaire or receive quarterly scans, they may not even know they have a problem.
Note: Some Acquirer’s require this of their Level 4 merchants, but not all do.
August 13th, 2010 at 8:49 am
This is a weak link in the chain. I bet that the council, in the next set of updates, will begin to take a close look at this issue but implementing it will be another matter altogether. One thing is for sure: If the hackers know there is a weakness, they will begin to exploit it. Many already have.
August 28th, 2010 at 10:49 pm
We walk into businesses every single day that have even the ISP leaving their modem/router/AP combo device completely open. It’s amazing the number of times we have been able to demonstrate complete control of their network from something as simple as my Nokia cell phone. We maintain PCI compliance for our clients by having our hardware logically segregate all internet traffic using stateful firewall rules as set out by PCI requirements, ie. a complete LAN block for public users. For our larger franchisees we physically segregate our AP from the internal network. I’m not familiar with ISPs in the US but here in Canada most of them provide two IP addresses by default to commercial lines. We simply throw a tiny 5-port switch between their existing router and the modem and we add our AP on to the switch. This gives one IP to their network and one to ours and there is no chance of crossover, as if a separate line was in place. I think that this is the best practice, however, for a small “mom-and-pop shop” operation it isn’t always practical, nor necessary. Hopefully in the next couple of years most of the major franchises will be educated enough to deal with this type of issue right out the gates.