All we need to top off this post is a little old lady screaming “Where’s the Breach?” God bless 80’s marketing.

A merchant out of Austin, Texas is claiming that a breach in their network came from Heartland Payment Systems (HPS), thus it must be their fault. While I am sure this is not the first merchant to be caught off guard, he’s certainly a creative one. Our culture in America seems to relish deflecting blame from oneself on to others.

Why, it couldn’t be me, it must be that guy over there.

What’s interesting about this particular case is that the quotes in the article are being interpreted in a manner that is inconsistent with these kinds of breaches and the kinds of services that HPS offers. I’ve seen a few blogs proclaiming a second Heartland breach, but I’m not sure what specifically would make someone leap to that conclusion. According to their website, HPS does not offer a managed POS solution today (Integrated POS is another story, but I don’t see this as being the issue here). Typically an independent dealer or Value Added Reseller (VAR) will sell the POS, manage it, and then send the payment processing component to companies like HPS. Unfortunately, that’s where things break down1.

Restaurants are breached frequently. Restaurateurs rarely hire skilled IT staff to build out the systems that run the kitchen and dining areas (that’s what the VARs are for), but they typically find ways to use the basic on-premise IT components to differentiate themselves from their competition. Maybe they offer a community PC or free Wi-Fi connectivity to patrons so they can work remotely while enjoying the food and service the location provides.  The diagram below depicts a typical restaurant setup:

Typical restaurant setup. Note location of Wi-Fi.

Does anything there seem odd to you? It should. In this case, a Wi-Fi access point is on the SAME NETWORK as the POS devices! The correct placement of a customer-facing Wi-Fi access point is between the firewall and the router2.

From the article linked above: “The spokesman is quoted as saying that somebody had hacked into a computer system ‘somewhere between Tinos’ point of sale and their credit card clearinghouse company.'” Kind of looks like that diagram, doesn’t it?

One way credit card breaches are found is something called the Common Point of Purchase (CPP) analysis. This analysis will take known compromised cards and analyze the most common place where they are all used. Once a CPP is identified, notification begins and an investigation ensues.

In the case of the original Heartland breach, multiple CPPs began coming in, all tied to Heartland and the common cards showing up at multiple merchants. This caused the investigation to shift upstream to focus on Heartland, and we know the history behind that now. In this case, it’s a little too early to try and claim another Heartland breach. Maybe bloggers want to this out just to say, “Look! SEE! I got something right for once!”

Based on the information in the article and what I can ascertain from other sources, this looks no different than any other of the thousands of restaurant breaches that occur every year.

This post originally appeared on BrandenWilliams.com.

  1. Often these companies will install systems with weak remote access passwords (Does Welcome1 sound familiar?), or the users will do things like browse webmail on the back of house systems. []
  2. Or at least the most common place you might find it. Restaurants with integrated router/firewall devices should use the DMZ functionality that comes with it. []