May 2016 -

Uncategorized

POS Data Security an Issue for Fast-Food Kiosks

May 31, 2016 Lazarus Alliance 0 Comment

POS Data Security?

The next time you buy a burger at McDonald’s or Wendy’s, a computer may be the one asking, “Would you like fries with that?” After decades of depending on human workers to take orders – and payments – American fast food chains are finally moving into the computer age, driven by rising minimum wages, a tightening labor market, a push for efficiency, and a growing number of internet-savvy consumers who prefer to interact with computers than human clerks.

Discussion of this “Rise of the Machines” in the media has largely centered around the minimum wage and the displacement of low-skilled labor. Missing from the conversation has been any mention of point-of-sale (or POS) system security in these automated ordering systems – even though Wendy’s, which recently announced it will be rolling out ordering kiosks en masse, suffered a POS data security breach earlier this year. The breach compromised approximately 300 locations, went on for several months, and has resulted in a class-action lawsuit accusing the fast-food chain of inadequate data security procedures.

Automated ordering systems are not new. Regional convenience stores Wawa (headquartered near Philadelphia) and Sheetz (a Pittsburgh-area chain), both of which have extensive custom deli and hot foods menus, installed ordering touch screens over a decade ago. However, these systems, unlike the ones Wendy’s and other fast-food restaurants intend to install, only take food orders and do not process customer payments; customers get printed order slips to take to a cashier for payment. And, of course, gas stations, supermarkets, and some retailers have had self-checkout lanes for years.

The surprising thing is that large fast-food chains have taken so long to automate customer ordering and payments – and this is where the concern over POS data security lies.

In some ways, automation in the fast-food industry is similar to automation in the healthcare industry. As mentioned in previous blogs, among the reasons why the healthcare industry is so prone to cyber attacks is that it clung to paper records for years, and when it finally did automate, it did so practically overnight, without any employee training. Similarly, the majority of fast-food companies continued to use human workers long past the time they needed to. The push to automate fast-food ordering is fairly new but very strong; at least one major chain has expressed that it is in a hurry to implement automation in the wake of minimum wage increases on city and state levels.

Since the fast-food industry is known for razor-thin profit margins and aggressive cost-cutting, and making burgers – not POS data security – is its core competency, whether fast-food chains will take cybersecurity seriously or repeat the mistakes of the healthcare industry remains to be seen.

However, as the ransomware attacks and data breaches that have plagued the healthcare industry have proven, no industry can afford to take a laissez faire attitude toward cybersecurity, especially when installing completely new systems. The fast-food industry needs to be proactive as it makes the leap from human clerks to self-serve kiosks. Among the measures restaurants can take are:

Do a review of your security policies and procedures to ensure PCI DSS compliance. Compliance with the PCI DSS is mandatory for any company that accepts payment cards, and procedures should always be reviewed when a new system is installed to ensure PCI DSS compliance is maintained. Here is a helpful primer on PCI DSS compliance basics.
Be sure to purchase your new system from a reputable dealer. Since fast-food ordering kiosks are an industry that is about to explode, inevitably, shady dealers will pop up offering what appear to be fantastic deals on new systems – that turn out to have multiple security vulnerabilities. Make sure you’re buying your equipment from a known, reputable company.
Make sure your new POS system can handle EMV technology, or “chip-enabled” cards. One of the ways hackers attack POS systems is by installing card skimmers that steal data off of the magnetic stripe old-style payment cards use. Chip-enabled cards eliminate this problem. However, not all payment cards are chip-enabled at this time, so it’s important not to leave self-serve kiosks completely unattended. Have at least some on-site staff available who are trained to spot card skimmers.
If you offer free WiFi to your customers, do not set your POS terminals to access it. Otherwise, a hacker can come into your store and use the WiFi to get into your system.
Monitor your POS terminals for suspicious activity. Are your terminals being accessed by or communicating with unknown external sources? Just like any other network, POS systems should be monitored for suspicious activity; had Wendy’s monitored its systems, the breach the company suffered may not have gone on for so long undetected.
Have a comprehensive cybersecurity plan in place, to include training on POS data security for any employees who access the restaurant’s computers. Protecting your customers’ payment card data is as important as adhering to food safety and sanitary practices.

POS Data Security Doesn’t Have to Be a Stomachache!

Because the fast-food industry has depended on manual ordering processes for so long, the transition to automation may seem confusing or even overwhelming for restaurant owners. That’s why it’s a good idea for restaurants to enlist the services of a professional cybersecurity firm such as Lazarus Alliance. The cybersecurity experts at Lazarus Alliance have deep knowledge of the cybersecurity field, are continually monitoring the latest information security threats, and are committed to protecting your POS system from security breaches.

We offer full-service risk assessment services and Continuum GRC software to protect companies from data breaches, spear phishing attacks, and other cyber threats, as well as help them get and remain PCI DSS compliant. Lazarus Alliance is proactive cybersecurity®. Call 1-888-896-7580 to discuss your organization’s cybersecurity needs and find out how we can help your restaurant protect its POS data and ensure compliance with PCI DSS.

Lazarus Alliance is a veteran-owned business.

Plagiarism, Authority, and Trust on the Internet

Plagiarism isn’t new, and the proliferation of shady websites and questionable decisions from search engine giant Google has led to sinister and sometimes silly evolutions in what fraudsters can do with the theft of someone’s intellectual property. According to Plagiarism Daily, we’re seeing a new outgrowth of plagiarism creep up on us. Gone are the...Continue reading→

Certified risk assessment report by Lazarus Alliance

What Is NIST 800-161?

With modern IT infrastructure becoming increasingly complex, intertwined systems managed through service providers and managing experts, the inevitable security problem rears its head. How can one organization, using several service providers, ensure their data security as it travels through those systems? Over the past decade, enterprise and government specialists have refined the practice of risk...Continue reading→

Professional risk assessment strategy by Lazarus Alliance

What Is a Risk Appetite Statement?

Over the past few weeks, we’ve talked quite a bit about risk: What it is. How it applies to compliance. How you can start to think about it as an aspect of your overall business strategy. In many of the cases we’ve discussed, we’ve referred to risk in terms of mitigation–how to close the gap...Continue reading→

Comprehensive risk assessment solutions by Lazarus Alliance

What Are the Problems with Risk Management?

In our previous article, we discussed the concept of risk management–what it is and why it’s important. However, risk management in cybersecurity isn’t new, and many organizations are working towards normalizing risk as an approach for comprehensive cybersecurity and compliance efforts. While this move is a good one, we also find that many organizations will...Continue reading→

Secure ISO 31000 compliance framework by Lazarus Alliance

What is ISO 31000?

Many enterprises are looking for ways to increase their security and to protect their interests. As the world of cybersecurity, legal risk and operational challenges become more and more complex, checklist compliance regulations just aren’t going to cut it. That’s why governments and private organizations are increasingly turning to risk management as a tool for...Continue reading→

Lazarus Alliance HIPAA Audit attestations that help protect client's data and reputation.

The 2021 Guide to HIPAA Compliance

Table of Contents What is HIPAA? HIPAA Compliance Terminology What Are the Three Rules of HIPAA Compliance? What Is the HIPAA Privacy Rule? What Is the HIPAA Security Rule? What Is the HIPAA Breach Notification Rule? What Is the HITECH Act? What Is the Omnibus Rule? What Does HIPAA Compliance Entail? What Are the Penalties...Continue reading→

Cutting-edge cybersecurity vulnerability assessment by Lazarus Alliance

How Managed Service Providers Can Support Clients by Focusing on Security

Thousands of companies, and an increasing number of government agencies, are relying on managed service providers for products like cloud storage, security administration, and productivity technologies. This has put tech experts in the profitable and challenging position of providing innovative products to support their clients.

ISO 27000 Demystified

The ISO (International Organization for Standardization) and the IEC (International Electrotechnical Commission) provide a globally recognized framework for best-practice information security management: the ISO/IEC 27000 family of mutually supporting information security standards (also known as the ISO 27000 series). The most well-known of the series is ISO 27001, which sets out the specification for an...Continue reading→

Spear Phishing: Don’t Take the Bait!

May 18, 2016 Lazarus Alliance 0 Comment

Following a string of high-profile incidents that began earlier this year, the healthcare industry has been highly focused on preventing ransomware attacks. IoT security has also emerged as a growing concern. However, healthcare organizations (as well as businesses in other industries) cannot afford to ignore another growing threat: spear phishing.

Like regular phishing, spear phishing involves sending legitimate-looking but fraudulent emails asking users to provide sensitive information and/or initiate wire transfers. However, while regular phishing emails are sent out en masse to the general public, spear phishing emails are highly targeted and sent to specific, predetermined victims, usually a small group of people working at a specific company.

In a recent press release, the Federal Bureau of Investigation warned of a dramatic rise in a type of spear phishing known as a “CEO email scam” or a “business email compromise scam.” According to the FBI, from October 2013 to February 2016, law enforcement identified 17,642 victims, totaling $2.3 billion in losses. Since January 2015, reports of spear phishing have increased by 270%.

Main Line Health Attack Proves that Employee Data Is at Risk

In February 2016, while everyone’s attention was focused on the Hollywood Presbyterian ransomware attack, Main Line Health, which operates four hospitals near Philadelphia, was hit by a spear phishing scheme. Emails were sent to employees, purportedly from the organization’s CEO and CFO, requesting employee payroll and W2 information. While some employees immediately realized the emails were fraudulent and reported them to management, at least one employee was tricked into sending the requested information to the hacker. As a result, Main Line Health had to notify its employees that their personal information may have been compromised and offer them free credit counseling and monitoring services.

When healthcare organizations think about cybersecurity, they usually focus on patient data protection. However, the hackers who compromised Main Line Health were not seeking to infiltrate patient data, but employee data, and the attack may have been connected to a very large spear phishing scheme targeting HR and payroll professionals in various industries nationwide. It is suspected that the hackers running the scheme intended to use the stolen data to file fraudulent tax returns.

How to Protect Against Spear Phishing

Email spam filters can be adjusted to recognize emails from suspicious sources and block them before they reach employees’ inboxes. However, some phishing emails will undoubtedly still get through. The best way to protect against spear phishing is to teach employees how to recognize the telltale signs of a spear phishing email, such as:

The salutation and/or the closing seem odd. For example, management normally refers to you as “William” or “Mr. Doe,” but the email is addressed to “Bill.” In the case of Main Line Health, the closing is what alerted one employee to the fraud; the email message, which purported to be from the CEO, was signed “John Lynch,” but the employee knew that the company’s CEO goes by “Jack.”
The request is unusual and/or does not follow normal company protocol. For example, the email is asking for employee W2 information, but requests like this are not normally handled through email or by the employee who received the request, or the person who allegedly sent the email has never requested similar information before, or it’s unusual for the person who allegedly sent the email to directly contact that particular employee.
The wording and tone of the email are stilted. Many spear phishing attacks are launched by foreign hackers who are not fluent in English; the email may be riddled with punctuation, spelling, or grammar errors, be worded oddly, or use British spelling. The wording may also be overly formal – or overly casual.
The domain the email was sent from is incorrect. Instead of “yourcompany.com,” the email may have been sent from “yourcompany.com-xyz.com” or some other derivative.

Employees should be taught that if something seems “off” about an email, they should consult a supervisor or IT security personnel before responding to it. Additionally, as part of your organization’s overall cybersecurity plan, a firm protocol should be established regarding requests for sensitive employee and patient data, and employees should be trained not to release sensitive data unless the protocol is followed.

In addition to using email spam filters to intercept suspicious messages, training employees to spot spear phishing emails, and implementing a solid security plan that includes protocol for the release of sensitive data, it’s a good idea for healthcare facilities to enlist the services of a professional cybersecurity firm such as Lazarus Alliance. The cybersecurity experts at Lazarus Alliance have deep knowledge of the cybersecurity field, are continually monitoring the latest information security threats, and are committed to protecting your healthcare organization from security breaches. We offer full-service risk assessment services and Continuum GRC software to protect hospitals and other healthcare organizations from data breaches, ransomware, and spear phishing attacks.

Lazarus Alliance is proactive cybersecurity®. Call 1-888-896-7580 or book some time with us to discuss your organization’s cybersecurity needs and find out how we can help your organization protect your patient and employee data.

Glowing Neon malware sign on a digital projection background.

What Is Autonomous Malware?

We’re reaching the end of 2025, and looking ahead to 2026, most experts are discussing the latest threats that will shape the year ahead. This year, we’re seeing a new, but not unexpected, shift to autonomous threats driven by state-sponsored actors and AI. With that in mind, a new generation of threats, broadly known as...Continue reading→

Stay ahead of federal and industry security alerts with Lazarus Alliance. Featured

What CISA’s Emergency Directive 26-01 Means for Everyone

In mid-October 2025, the CISA issued one of its most urgent orders yet: Emergency Directive 26-01. The directive calls on all Federal Civilian Executive Branch (FCEB) agencies to immediately mitigate vulnerabilities in devices from F5 Networks following a state-sponsored breach of F5’s systems and access to portions of BIG-IP source code and vulnerability data. The event...Continue reading→

Make sure that your software is secure with or without AI. Trust Lazarus Alliance. featured

Cybersecurity and Vetting AI-Powered Tools

A recent exploit involving a new AI-focused browser shone a light on a critical problem–namely, that browser security is a constant issue, and AI is just making that threat more pronounced. Attackers discovered a way to use that browser’s memory features to implant hidden instructions inside an AI assistant. Once stored, those instructions triggered unwanted...Continue reading→

Manage identity security and compliance with a trusted partner in Lazarus Alliance. featured

Identity and the Shift from Malware

The world of cyber threats is rapidly evolving, and while we can see these changes more generally, it’s always crucial to understand them concretely. As the 2025 CrowdStrike Global Threat Report shows us, the landscape of our industry is changing. We’re digging into this report to discuss a challenging trend: the move of hackers foregoing...Continue reading→

Harden security against new AI attack surfaces. Work with Lazarus Alliance. featured

Maintaining Compliance Against Prompt Injection Attacks

The increasing adoption of AI by businesses introduces security risks that current cybersecurity frameworks are not prepared to address. A particularly complex emerging threat is prompt injection attacks. These attacks manipulate the integrity of large language models and other AI systems, potentially compromising security protocols and legal compliance. Organizations adopting AI must have a plan...Continue reading→

Stay ahead of CMMC changes with Lazarus Alliance. Featured

Are We Already Talking About CMMC 3.0?

The ink has barely dried on the CMMC final rule, and already the defense contracting community is buzzing with speculation about what comes next. Just when contractors thought they had a moment to catch their breath after years of regulatory limbo, whispers of CMMC 3.0 have begun circulating through the industry. But is this just...Continue reading→

Lazarus Alliance helps enterprises manage identity security and data governance.

Centralizing Identity-Based Risk

As the traditional network boundary dissolves and remote work becomes standard practice, identities are the major frontier for security. Whether we’re talking about human users, service accounts, or machine identities, these have emerged as both the primary access mechanism and the most targeted attack vector. It has become imperative for providers to centralize identity management...Continue reading→

FedRAMP Authorization assessments from Lazarus Alliance. featured

Deviation and Significant Change Requests in FedRAMP: A Comprehensive Guide

FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies. While the program’s rigorous baseline requirements ensure consistent security, the reality is that this consistency calls for a little flexibility. This is where deviation requests and significant change requests come into play. These two...Continue reading→

Get expert monitoring and security support with Lazarus Alliance featured

The Costs of Compliance and Data Breaches

Data is possibly one of the most valuable assets any organization holds. Customer information, employee records, and proprietary business intelligence present challenges because the data flowing through modern enterprises represents both significant opportunities and serious risks. Businesses face a challenging balance: investing in compliance measures to protect sensitive information while also preparing for the real...Continue reading→

Audit & Compliance Awareness Continuum Cybevisor Services

IoT Security: Medical Devices Are the Next Target for Hackers

May 4, 2016 Lazarus Alliance 0 Comment

Up until now, healthcare cybersecurity has been focused on protecting patient data, ensuring HIPAA compliance, and, more recently, protecting systems from ransomware attacks. However, as healthcare technology advances, a new threat is emerging: the potential for hackers to attack smart medical devices such as insulin pumps and pacemakers. If IoT security is not taken seriously, innovation will be stunted and, in the case of healthcare, lives will be lost.

What is the Internet of Things?

The Internet of Things (IoT) refers to the growing number of “smart,” internet-connected devices that are infiltrating every part of our lives, such as fitness wearables, smart TVs, connected cars, smart thermostats, and even smart buildings. Business Insider estimates that over the next five years, $6 trillion will be spent developing IoT technology, and by 2020, 24 billion IoT devices will be in use.

The healthcare industry, which has historically been slow to implement new IT technology, has enthusiastically embraced IoT devices, which can be wearable (such as a fitness monitor) or implantable (such as an insulin pump). Allied Market Research predicts that the world IoT healthcare market will reach $136.8 billion by 2021, more than doubling its $60.4 billion value in 2014.

Despite this rapid growth, IoT security is severely lacking. IoT devices may be smart, but they have far weaker security controls than regular computers. IoT passwords are often hard-coded and freely available online, and some devices are very difficult to patch or update. There are a myriad of device manufacturers, with more entering the market every day – but no common security controls or best practices, and no procedures to track devices as they move through the supply chain from the manufacturer to the end user. This results in IoT devices having numerous vulnerabilities that are just waiting to be exploited.

IoT security vulnerabilities aren’t purely hypothetical. Recently, cybersecurity experts demonstrated how Nest’s smart thermostat and Ring’s smart doorbell could be breached and turned into entry points into a home network. (Ring’s manufacturer has since issued a firmware update to address the vulnerability.) While there have been no reported attacks involving either device, logically, it’s only a matter of time before an IoT device is targeted.

And if hackers can get into thermostats and home security devices, why couldn’t they breach a pacemaker or an insulin pump? Especially since someone has already done it.

Healthcare IoT Security: The Next Ransomware Threat

As we’ve reported in previous blogs, the healthcare industry has suffered from a number of major ransomware attacks in the past few months, beginning in February, when Hollywood Presbyterian Hospital, after being locked out of their system for a week, paid hackers the equivalent of $17,000.00 in Bitcoin to get back in. Some security experts feel that by caving in and paying up, the hospital inadvertently proved to hackers that using ransomware to attack healthcare facilities means fast money. If a hospital will part with large sums of money to get back into its computer system, how much would a patient be willing to pay to keep a life-sustaining medical device working?

Again, such a scenario is not hypothetical. TechTarget reports that two patients in a hospital in Austria figured out how to hack into their own medication infusion pumps because they felt their pain was not being managed properly. Frighteningly, to get in, the patients simply went online, looked up the hard-coded passwords for their pumps, then used them to log in and adjust their doses. The patients ended up overdosing and suffering respiratory problems.

If a layperson with no computer science training can manage to figure out how to hack into an IoT medical device, imagine what a money-motivated hacker with advanced technical skills could accomplish. A hacker could access a pacemaker or an insulin pump, begin draining the battery, and refuse to stop until the victim pays a ransom. The only obstacle would be determining how to deliver the ransom demand to the victim, but with reams of personal information easily available online, it would not be difficult for a hacker to obtain a victim’s mobile phone number or email address and use these to deliver the ransom demand.

What Can Healthcare Providers Do to Protect Patients?

The recent ransomware attacks on medical facilities have proven that hackers have no regard for human life and are fully willing to put fragile patients at risk in their quest to make a quick buck. The healthcare industry needs to take IoT security every bit as seriously as other forms of cybersecurity, and industry leaders must put pressure on IoT device manufacturers to establish security controls and best practices, such as eliminating hard-coded passwords and ensuring that IoT devices are as easy to patch and update as computers and mobile phones.

Healthcare facilities can take proactive security measures right now by developing a robust information security policy to include security awareness among all healthcare personnel and, from a technical perspective, continuous monitoring of systems so that baseline user patterns can be determined and deviations that may indicate possible attacks can be detected.

In addition to establishing an internal culture of security awareness, implementing a solid security plan, and monitoring systems for suspicious activity, it’s a good idea for healthcare facilities to enlist the services of a professional cybersecurity firm such as Lazarus Alliance. The cybersecurity experts at Lazarus Alliance have deep knowledge of the cybersecurity field, are continually monitoring the latest information security threats, and are committed to protecting your healthcare organization from security breaches. We offer full-service risk assessment services and Continuum GRC software to protect hospitals and other healthcare organizations from data breaches and ransomware attacks.

Lazarus Alliance is proactive cybersecurity®. Call 1-888-896-7580 to discuss your organization’s cybersecurity needs and find out how we can help your organization prevent ransomware attacks and data breaches.