A few weeks ago I was grabbing a couple of beers in town with my buddy, John. We had a couple of rounds before John noticed what he thought was a Nintendo Wii sitting at the back of the bar, next to a cash register/point-of-sale terminal. It definitely was a Wii, but even more interesting to me, was a wireless access point right next to it in plain site.

John was probably excited at the possibility of playing Guitar Hero. I, on the other hand, wondered if the Wii and the cash register terminal were all on the same network, along with the WAP.

After a few more drinks, I developed the following equation:
Wireless Access Point + POS terminal = free beer

I pulled up the list of the available wireless networks on my Iphone, and sure enough there was one with the name of the bar. Unfortunately, it was encrypted. Time to break out the social engineering skills.

Me (to the bartender): “Hey, I’m trying to show my buddy my blog on the Inter-”
Bartender: “Oh! You need the password! Hold on one sec, let me ask the manager.”
…1 minute later…
Bartender: “Try clubbarroom”
Me: “That worked. Thanks.”

I didn’t go any further at that point, since that would be unethical. My buddy was also already impressed that I got the password without even directly asking for it.

However, I couldn’t help but wonder what kind of data is actually at risk. They obviously swipe credit cards on those point-of-sale terminals. I’m also sure that the bar doesn’t have a security budget or staff, other than the human firewall who was checking ID’s at the door. If credit cards could be stolen from T.J. Maxx, why not a rinky-dink bar in Hoboken?

I don’t need to wonder so much any more. On Monday, news agencies started reporting that three men were charged with installing packet sniffing software at a number of Dave & Busters locations here in the U.S. From one location near me in New York, they were able to obtain 5,000 credit/debit card numbers.

Obviously, companies that do business on the Internet need to be aware of security issues surrounding credit card transactions, and many are well aware that they need to be PCI compliant. But what about small brick and mortar shops, bars, restaurants, etc? They think they are immune from all this hacking/identity theft non-sense because they don’t take credit cards via a web site.

Hacking one large online retailer like Amazon may prove lucrative, but could be difficult and dangerous to pull off AND get away with. Small businesses on the other hand, lack the technological expertise to protect themselves. While each target individually may not contain the wealth of sensitive data that an Amazon or eBay has, these soft-targets, collectively, could be just as lucrative.

-Schmoilito