Re: POint of Sale Device

[Jim Dillon <Jim.Dillon () CUSYS EDU>]

Speaking from not-so-hypothetical experience a text reader like NOTEPAD
works just find to read the log files that may record clear-text
transactions.

 

Spider - do a search.

 

Maybe some old DOS level GREP like tools?  Anybody but me still keep
these around?

 

The rumors you mention I can't quite speak to, but second hand knowledge
of real events - several similar situations I'm familiar with, and each
was a clear text log file that preserved transaction elements, and each
was on a system that wasn't "supposed" to store CC#s locally.

 

No great mystery.

 

Now there may be more complicated mechanisms and some that are encrypted
files and/or other things, but many take no special skill or insight,
just look into the application file path and read the logs.

 

Now you know how the stupid auditors like me actually find things -
because the problem is typically so fundamental and the
developer/administrator effort made to assess the risk so pitifully
weak.  No rocket science that's for sure.  (And really, we aren't ALL
that stupid...!)

 

Don't trust the vendor representation. In a couple of cases I'm close to
the vendors indicated the systems were clean.  Sure, no data was stored
locally, but even the vendors didn't mention the log files.

 

In one case I'm aware of management thought their edict against storing
CC#s would be sufficient.  Their internal folks didn't read their own
internally created/custom log files either.

 

These observations are over time, and my experiences include 3
industries, not just Higher Ed, the root cause is as simple and basic as
ABCs.  Programmers, developers, and those charged with implementing
systems are typically encouraged to get things working, not to be
concerned with the security of things, so they never bother to
verify/validate/assess.  Most get dinged for taking a day longer than
the minimum required, so a little extra diligence is negatively
rewarded.  Change in culture will eliminate a high percentage of these
type of problems.

 

Chances are high you will find similar things if you look at multiple
POS systems in your domain.  Have fun, heads turn, eyes roll, and many
folks get really sheepish looks on their face when five minutes into an
assessment you print out some CC#s and ask them how they may have missed
these...  The point is not to sufficiently embarrass the supposedly
responsible, although that's effective, its to elevate the
acknowledgement of the rudimentary value of basic security analysis in
all things IT.  Some day this attitude may finally hit the thought
processes of the mid to C level managers of most businesses, but alas it
is not today.

 

Best regards,

 

Jim

*****************************************

Jim Dillon, CISA, CISSP

IT Audit Manager, CU Internal Audit

jim.dillon () cusys edu

303-492-9734

*****************************************

 

 

________________________________

From: Gibson, Nathan J. (HSC) [mailto:Nathan-Gibson () OUHSC EDU] 
Sent: Thursday, May 10, 2007 12:15 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] POint of Sale Device

 

Does anyone know of a tool/product that can be used to check a credit
card point of sale device to make sure it does not store credit card
information?  To give you a picture of what I am talking about. Let say
you walked into a gas station and purchased a soda with your CC. The
attendant swipes your card in a little black box that sits on the edge
of the counter. It does not tie into an application, just a device with
a modem that sends the information to a bank for processing. I want to
be able to check the device to make sure it is not storing information
locally?

 

Rumor has it, a University somewhere Colorado did this once and I
wondered if anyone knows of any tools/solutions out there that could
help.  Any information about a solution/outside vendor would be greatly
appreciated.

 

 

V/R,

Nathan J Gibson, CISSP