Checklist 142: Panic! at the Drive-Thru
Is your data safe anywhere these days? That’s the question we’re asking at the top of today’s show with news of a new fast food breach — then we’re moving on to the death of an old “best practice” for passwords. Finally we’ll finish with a follow-up to a recent story about Apple’s changes to parental control apps in the App Store. It’s a jam-packed list this week as we look to check the following items off our list:
- A Fast Food Security Breach
- Killing Off Killing Off Passwords
- Apple’s Babysitting the Babysitters
Ready to get started? Please pull around to the first window to find out what might happen to your information when you decide to swing by and pick up a burger on the way home from work.
A Fast Food Security Breach
Our first story this week comes to us from ThreatPost, with a supersized helping of data insecurity. Affecting Checkers and Rally’s burger joints throughout the country, this data breach occurred as a result of a malware infection targeting the software that runs the chain’s cash registers. All told, ThreatPost says, about 15% of the chain’s restaurants were hit by the infection. That translates into 102 stores in 20 different states, which constitutes most of the areas in which the chain operates.
What kind of information was involved? You’re probably not going to like this: it’s all about the payment information. The malware, having infected the “point of sale” or POS systems, could capture a lot of the information that streamed through the hardware. Every time the cashier swipes a customer’s credit or debit card, the machine reads data encoded on the magnetic stripe on the back of the card. The malware stole this information — all of it. That includes:
- Name
- Card number
- Card security code
- Expiration date
In other words, just about everything someone would need to commit identity fraud with your card. Checkers posted a statement to their website stating that they were coordinating with law enforcement and security experts to “address the matter,” whatever that may mean; presumably for the customers affected, their info is already out there in the hands of some hacker.
So how could their POS systems even become infected in the first place? A bad actor could have introduced the infection inside the company — possibly from a regional franchising company — or the hackers could have gained access to an insecure system set up to connect to the Internet before spreading from there. However the malware arrived on the scene, it probably would have been difficult to detect — these aren’t like your run of the mill malware programs that can have noticeable negative effects on your machine’s performance.
This scenario is similar to the “skimmers” that many of us have seen warnings about at gas stations and ATMs. Those are physical devices that the thieves attach to credit card readers to steal data, rather than using malware, which isn’t the easiest thing to load onto a gas station’s pump.
Checkers suggests customers monitor their bank statements and consider ordering a credit report — in other words, they’re sorry, but those who chose to dine with them are on the hook for their actions. As we know, it’s unlikely the company will face any serious blowback or consequences for the incident; affected customers don’t even get the benefit of free credit reporting anymore, it seems.
There is one bit of good news to come out of this situation. According to Verizon’s Data Breach Investigations Report, point of sale breaches are on the decline. While that’s good, they are still happening. In fact, the one at Checkers seems to have happened over quite a long period of time. The company says that it detected instances of the breach going back to 2015, but it was only last year, in 2018, that the malware surged and began to affect more locations.
What could Checkers have done better? Well, some basic checking should have been done when POS updates were deployed to ensure that the software was genuine and unmodified — though maybe they didn’t do any updates at all, which is even worse. Another concern is that Checkers continues to use the “swipe” method of running cards, rather than the chip (also called EMV) method used by most retail establishments these days — you know, all those cashiers reminding you to “insert your card.” EMV may have kept this data safe.
Checkers does have a list of all the affected stores easily accessible on the homepage of its website as of this show’s publication. If you’re a fan of Rally’s or Checkers, we advise you to visit this page to see if you dined at one of the stores on the list. If you did, be sure to keep an eye on your accounts.
Killing Off Killing Off Passwords
An old and familiar “best practice” for passwords has been shown the door by one of the tech giants, according to a story in TechCrunch. From May of this year, Microsoft removed password expiration policies from the Windows 10 Security Baseline. What is that, you might ask? It’s Microsoft’s set of suggested rules and guidelines for enterprise IT administrators, from small businesses running Windows 10 to major healthcare organizations and more. It establishes a safe, smart way to use the system to minimize the risk of security breaches and to provide better reliability.
So why are we talking about this today? We discuss password best practices a lot on this show and changing your passwords regularly has always been one of the key points we’ve hit. In fact, with many sites these days, after a certain period you’re forced to change your password — especially in company environments. It could be 30, 60, or 90 days, but eventually, your password expires, and you need to make a new one. Now, Microsoft is saying that that’s not a best practice, and it should be discarded. What’s the thinking here?
Microsoft lays out several excellent points in its reasoning. First and foremost is the fact that it’s annoying for the users — and ultimately, that makes it a less secure practice. You can only ask someone to change their password so many times before they begin using easily guessed variations on the same base password they used to start with; the result being that they actually introduce more insecurity instead of less.
There’s also the fact that it doesn’t really help to protect users in a breach, either. Microsoft’s default guideline was 42 days for passwords before expiration — if someone steals your password on day 3 of the period, how will expiring it after 42 protect you? It simply won’t. With that in mind, this guideline is going by the wayside. That doesn’t mean it will disappear everywhere, though it might signal the start of a sea change.
It might be a part of the movement towards “the end of passwords,” too. Ultimately, leaving humans in charge of security is always going to result in a weak point. When you must choose passwords, some amount of insecurity is almost inevitable. The move towards hardware and biometric-based solutions continues, and we may eventually reach a point where creating your own passwords is a thing of the past.
What should you do in the meantime? As the TechCrunch piece points out, using a password manager is essential these days, with popular options including LastPass and 1Password. These apps come with a subscription fee, but it’s well worth it — you can keep your passwords synchronized and secure across multiple platforms, and you ultimately just need to remember your one master password to use your vault to log in all around the web. With the built-in ability to generate strong and random passwords as well, you’ll find it’s a much easier way to approach security. Multi-factor authentication remains essential, too, as we’ve discussed on the show many times now.
Goodbye to password expiration — we hardly knew ye.
Apple Babysits the Babysitters
Let’s round out this week with a return to last week’s show.
Recall that one of the things we learned last week during Apple’s annual Worldwide Developer’s Conference was the fact that the company planned to open its Mobile Device Management access to apps billed as being for child protection, which many people see as competitors to Apple’s own ScreenTime and parental control efforts. When we discussed this policy last week, we wondered how Apple would be able to tell whether the developers were complying with the new rules. Typically, MDM access-enabled apps don’t have any particularly deeper oversight from Apple involved. However, that’s not the case here. New MDM-enabled child protection apps will face greater and ongoing scrutiny from Apple.
Remember the scandals from the past few months about Facebook and Google gathering information on iPhone users through MDM apps? They got away with it for so long because Apple typically leaves enterprise app development up to individual customers; in other words, it’s not staring over the shoulder of every in-house developer to make sure that the apps they build and deploy for other employees meet rigorous standards. It just wouldn’t be feasible. For the sake of the children, though, Apple has decided to make it feasible for these apps.
One iOS developer was savvy enough to spot the change in Apple’s Terms and Conditions that allow for this to take place. Apple says it will individually review all apps that use MDM and, if it believes the developer has crossed the line, will mandate that it be removed from the App Store. Apple’s terms state that they can review apps “at any time,” allowing them to revoke an app later should it switch to rule-breaking behaviors.
One would think Apple would have some “triggers” in place to signal to its team that they should take a closer look at an app, but it’s not entirely clear what that might be yet — though if they read about an app in the news, you can imagine they’ll look. They might hear from other developers, or even concerned parents — but the good news is that Apple will have a way to investigate these things and provide some level of oversight. Is it perfect? Maybe not yet — but it at least provides some peace of mind for those concerned that these changes could further expose children to the efforts of Big Data collection.