Authorities are asking us to alert you.
Recently, there have been a very high number of credit card data compromises resulting from the breach of merchant service providers. These providers have remote access to merchant computer networks for maintenance of POS hardware and software systems, accounting, or other practices. Examples of remote access software used by such providers may include LogMeIn, pcAnywhere, etc.
Think of it like this… do you have a neighbor, good friend, or service a provider that has an extra key to your house? Many of us do, as it gives us peace of mind if we lose our own key. We sometimes share a key for the convenience of having a provider take care of things around the house when we can’t be there.
Now, think of a similar scenario for your business. Have you provided an “extra key” that allows a service provider to get into your business via remote computer access? In fact, do you sometimes let yourself in “remotely” to be able to access your business computer network? If so, and without secure remote access practices, your business is vulnerable to hackers.
The breach of these service providers often results in the data compromise of all of the provider’s merchant customers due to failing to set up remote access in a secure manner. Once a hacker has access to a merchant’s network through a service provider, they can install malicious software that steals customer credit card data which is later used for fraud. For example, the Target breach was originally initiated through Target’s HVAC or refrigeration vendor by using a supplied “key” or remote access.
Please share the attached link with service providers that have remote access to your computer network and be sure to otherwise secure remote access to your business. If you receive vulnerability scans from Trustwave or SecurityMetrics as part of your PCI validation process, taking action on failing scan results can also help mitigate this risk to your business.
Again, here is the alert from the U.S. Secret Service, Visa, and the Financial Services Information Sharing and Analysis Center. Note that it may best be reviewed by a technical resource as it is written at a moderate technical level.