Hacking your bar for drunken profit
A few weeks ago I was grabbing a couple of beers in town with my buddy, John. We had a couple of rounds before John noticed what he thought was a Nintendo Wii sitting at the back of the bar, next to a cash register/point-of-sale terminal. It definitely was a Wii, but even more interesting to me, was a wireless access point right next to it in plain site.
John was probably excited at the possibility of playing Guitar Hero. I, on the other hand, wondered if the Wii and the cash register terminal were all on the same network, along with the WAP.
After a few more drinks, I developed the following equation:
Wireless Access Point + POS terminal = free beer
I pulled up the list of the available wireless networks on my Iphone, and sure enough there was one with the name of the bar. Unfortunately, it was encrypted. Time to break out the social engineering skills.
Me (to the bartender): “Hey, I’m trying to show my buddy my blog on the Inter-”
Bartender: “Oh! You need the password! Hold on one sec, let me ask the manager.”
…1 minute later…
Bartender: “Try clubbarroom”
Me: “That worked. Thanks.”
I didn’t go any further at that point, since that would be unethical. My buddy was also already impressed that I got the password without even directly asking for it.
However, I couldn’t help but wonder what kind of data is actually at risk. They obviously swipe credit cards on those point-of-sale terminals. I’m also sure that the bar doesn’t have a security budget or staff, other than the human firewall who was checking ID’s at the door. If credit cards could be stolen from T.J. Maxx, why not a rinky-dink bar in Hoboken?
I don’t need to wonder so much any more. On Monday, news agencies started reporting that three men were charged with installing packet sniffing software at a number of Dave & Busters locations here in the U.S. From one location near me in New York, they were able to obtain 5,000 credit/debit card numbers.
Obviously, companies that do business on the Internet need to be aware of security issues surrounding credit card transactions, and many are well aware that they need to be PCI compliant. But what about small brick and mortar shops, bars, restaurants, etc? They think they are immune from all this hacking/identity theft non-sense because they don’t take credit cards via a web site.
Hacking one large online retailer like Amazon may prove lucrative, but could be difficult and dangerous to pull off AND get away with. Small businesses on the other hand, lack the technological expertise to protect themselves. While each target individually may not contain the wealth of sensitive data that an Amazon or eBay has, these soft-targets, collectively, could be just as lucrative.
-Schmoilito
3 comments Digg this3 Comments so far
Leave a reply
That is probably the most fundamental problem with PCI… you only need to meet the standard if you process 11d billion credit cards per month. I don’t know the exact cutoff, but I’m sure it’s surprisingly large. I know that 5,000 cards/month won’t do it.
Good read.
If your bar has wifi, YES YOU CAN HACKED THE POS TERMINAL!!
All POS I’ve ran across runs on 2kpro with Restaurant Manager pos. 80% of them will not run a firewall on thm since it causes t many problems with connection to the server in the backroom so it can right the crystal reports to it. I myself did my 2nd wifi hack at my local bar in Summerville,SC “HURRICANE ALLEY”. I used x-can to get the nt-server pass and dameware to remote admin to the pos and remove items off my tab. proven to the owner “Jason” and his employees that I can hack shit, course I was drunk off my ass when I did this. But you can also access the creditcard info in plan text on there server that collects the info. If you wanna wifi hack a chain/bar buy some hi gain yagi atenna and hit the AP from outside and at a distance!!!!! Happy Wardriving
PS..If you see someone at a bar with a laptop, it might be me walking out drunk and only droping $20 after 6hrs