Social Engineering: Building a Scam

38016322 - social engineering on the mechanism of metal gears.

   According to the 2017 Verizon Data Breach Report, 43% of                                          all documented breaches involved social engineering.

With over 130 QIR certified technicians, Retail Data Systems invests in knowledge of the PCI compliance requirements through PCI Security Standards Council certification courses. We strive to provide the best service and equipment to meet those requirements, while also working hard to understand new threats our clients face in the cyberworld. Security awareness is one of the very first steps on the road to compliance and a crucial part of protecting your business.

 

Social engineering scams come in all different shapes and sizes. This works well considering the target of the scams have different levels of experience and education with technology. If you’ve ever taken a look in your email Spam folder, you are likely to see some obvious examples of phishing scam attempts. The most common (and comical) tend to be those from broken English estate lawyers reaching out about a dearly departed and wealthy relative from overseas. Luckily spam filtering exists to weed out emails like this. But as funny as those attempts may seem, the results of successful attempts are far from humorous.

tactics

An example of a more elaborate social engineering scheme began after the IRS website was breached back in 2015. Because scammers had gained access to social security numbers and sensitive information on more than 700,000 tax payers, they were able to construct a remarkably sophisticated story, unlike our spam folder friends. These predators used a tool that spoofed their phone number, making it appear  that the call originated from the IRS. Using fake IRS badge numbers, they intimidated their victims with threats of audits, property seizure, and even arrest if “back taxes” were not immediately transferred. They successfully stole money from countless victims, and that money is unrecoverable.

Over the last several years, there has been an increase in social engineering attacks for one reason: they work! As outlined in Security Through Education blog post: Why Attackers Might Use Social Engineering, “Social engineering tactics (especially phishing, vishing, and impersonation) are being used, in conjunction with digital hacking methods to make attacks more effective and inevitably more profitable for attackers.

Because these tactics have worked at such high rates, human error is deemed the largest security threat to any organization. When taking into account the variation in sophistication of social engineering attacks and their end goal, it becomes apparent why cultivating security awareness and protecting proprietary information is so important.

 

Source: https://www.social-engineer.org/framework/general-discussion/attackers-might-use-social-engineering/

https://www.cbsnews.com/news/irs-identity-theft-online-hackers-social-security-number-get-transcript/

 

Social Engineering – What Is It?

You receive an email reminding you that an invoice is overdue from somebody you don’t know, or an email address you don’t recognize. “Just click on this link to see the invoice and easily make a payment…..”

You get a phone call from a vendor requesting your address, password and/or other noteworthy credentials to clear up an issue with the service they have been providing for you….

These are the hallmarks of a Social Engineering attack.

Social engineering is a broad term, but can be simply defined as:   the practice of obtaining confidential or sensitive information by manipulation of legitimate users. Also termed “Human Hacking.”

In his whitepaper, Social Engineering: A Means to Violate a Computer System, Malcolm Allen writes, “’Social Engineering’ is a threat, often overlooked but regularly exploited; to take advantage of what has long been considered the ‘weakest link’ in the security change of an organization –the ‘human factor.’” It is important to understand that, in addition to the technological aspects of influencing a person, social engineering attacks are, in essence, a psychological trick.

All social engineering attacks are unique and range from telephone scams to phishing emails. The goals of a malicious social engineer can be compared to those of any criminal activity: money, knowledge, power, control, etc. In order for organizations to protect against social engineering scams, they must be introspective and brainstorm reasons someone might want to target them. Based on their research, they should then take preventative measures, such as implementing mandatory security awareness training for employees. The first line of defense against these attacks are user awareness and education surrounding information security.

We will be talking about Social Engineering in our next few blogs as the number of incidences are currently on the rise.

NCR OPTIC Completes First Outdoor EMV Transaction

NCR enables New York-based convenience store chain to introduce secure payments at the pump and create a consistent shopping experience across all fueling platforms.

DULUTH, Ga.–(BUSINESS WIRE)–NCR Corporation (NYSE: NCR), a global leader in omni-channel solutions, announced that it has conducted its first EMV payment transaction on the NCR OPTIC Outdoor Payment Solution at a Mirabito convenience store in Norwich, New York. Working with NCR’s channel partner Retail Data Systems, Mirabito is among the first convenience store retailers to embrace the secure payment scheme through the First Data network ahead of the 2020 liability shift deadline.

An important criterion for selecting the EMV-ready NCR OPTIC solution was its ability to digitally transform the forecourt to create a consistent customer experience across all fueling platforms. With NCR OPTIC, the customer experience will be very consistent at each Mirabito store, regardless of pump manufacturer or model. The prompting and customer touch points will be universal. Currently, Mirabito has implemented NCR OPTIC in three test stores and will be expanding the adaptation in new markets soon.

“We are very excited to be implementing this cutting edge at the pump technology at our stores,” said Eric Bunts, Chief Information Officer at Mirabito Holdings, Inc. “Upholding our customer’s credit card security is a primary objective of Mirabito and the NCR OPTIC solution allows us to increase our security positioning by accepting EMV chip cards at our fuel pumps. Additionally, the enhanced capabilities of NCR OPTIC fulfill a diverse range of customer experience objectives that are important to us as an organization.”

With the help of the NCR technology, Mirabito now can offer mobile payment through contactless integration and enhanced loyalty interactions with the integrated barcode scanner. Furthermore, the high definition video displays can be used for in-depth marketing promotions.

“The introduction of EMV payments provides convenience retailers with the unique opportunity to introduce new services and create a compelling customer experience, as well as convert consumers at the pump to in-store shoppers,” said Tom Chittenden, vice president and general manager of retail solutions at NCR Corporation. “Our goal is to help retailers drive more offers at the pump that today’s consumers demand, while remaining flexible for future deployments and technology developments. NCR OPTIC provides both and more.”

NCR OPTIC has been thoughtfully engineered to provide retrofit options for most brands of fuel dispensers. With an unprecedented open software platform, NCR OPTIC enables retailers to gain flexibility in developing their own unique applications to engage with their consumers like never before.

About Mirabito

Since 1927, Mirabito has been family owned and operated. Mirabito provides energy products and services for families and businesses throughout upstate New York, western Massachusetts, and Connecticut, with corporate offices located in Binghamton, NY. In addition to being an energy provider, Mirabito owns and operates more than 100 convenience stores throughout Central New York and Northeastern Pennsylvania, making Mirabito a convenient stop for customers and one of the largest convenience store chains in Central New York. The Mirabito Family of Companies includes Mirabito Energy Products, Mirabito Convenience Stores, Mirabito Truck Repair and the Rewards Plus customer loyalty program. For more information, visit www.mirabito.com.

About NCR Corporation

NCR Corporation (NYSE: NCR) is a leader in omni-channel solutions, turning everyday interactions with businesses into exceptional experiences. With its software, hardware, and portfolio of services, NCR enables nearly 700 million transactions daily across financial, retail, hospitality, travel, telecom and technology industries. NCR solutions run the everyday transactions that make your life easier. NCR is headquartered in Duluth, Ga., with about 30,000 employees and does business in 180 countries. NCR is a trademark of NCR Corporation in the United States and other countries. NCR encourages investors to visit its website which is updated regularly with financial and other important information about NCR.

http://www.businesswire.com/news/home/20171219005361/en/

Am I required to be PCI Compliant? Part 2

By law? No. By your credit card processor? Yes.

In a nutshell, PCI DSS is a baseline information security program. The PCI DSS outlines security best practices like utilizing a security firewall and using password best practices. Merchants are required by their credit card processors to adhere to PCI requirements and are asked to attest their compliant status annually. The merchant’s processor may ask them to fill out an SAQ (self assessment questionnaire) or conduct a QSA-led (qualified security assessment) PCI assessment as part of the client’s annual compliance validation process.

Are There Penalties?

Yes. The penalty for refusal to adhere to the PCI DSS and the processor’s compliance validation requirements could result in significant potential suspension from credit processing networks and significant fines. These fines include chargebacks to the merchant, and potentially additional third party auditing costs.

It is more important now than ever to make PCI DSS a constant priority in all business considerations. The continuity the program provides will help ensure protection of cardholder data from malicious individuals. Because the world of digital transactions is ever-evolving, continuing to stay current with PCI practices is the best way to stay informed of the latest security practices.

Retail Data Systems Payment Services Receives Highest Honor from WorldPay

Alpharetta, GA:  Retail Data Systems Payment Services Division was awarded the highest honor at WorldPay’s Annual Awards Dinner last month in Alpharetta, GA. RDS General Manager Tom Wilyard accepted the honor for 1st Place MSP Volume, awarded to the #1 Independent Sales Organization (ISO) with the largest volume of card processing transactions in the U.S. with WorldPay. This collaboration spans the restaurants, grocery, retail and convenience store industries.

Tom Wilyard

Pleased with the recognition, Wilyard had this to say, “This year’s success is due to our RDS branch partners and staff who have continuously strived for excellence with deployments, training and support for encrypted POS transactions. Worldpay continues to share our commitment to our clients by providing excellent communication, support and feature rich products to RDS and our clients.

Retail Data Systems is the largest provider of Point Of Sale Hardware and Software, in North America. Founded in 1950, RDS now operates over 25 offices serving customers across the nation providing complete Point Of Sale technology. Our team of over 400 professionals assure our customers of the best 24/7/365 service available. Our list of industry leading POS hardware and software products provide a variety of solutions for companies large and small. For more information, please visit rdspos.com.

Worldpay is a global leader in payments processing technology and solutions for our merchant customers. We operate reliable and secure proprietary technology platforms that enable merchants to accept a vast array of payment types, across multiple channels, anywhere in the world. For more information, please visit http://www.worldpay.com.

Am I required to be PCI Compliant?

Think of the Payment Card Industry Data Security Standards (PCI DSS) as an umbrella that covers any entity that stores, processes, or transmits cardholder data; and even extends to service providers with the ability to affect the security of the cardholder data environment.

PCI Compliance is a requirement for any entity that meets the description above, because it works for business continuity. On your journey toward compliance, it is important to remember that there is a difference between the PCI DSS Compliance and PCI DSS Compliance Validation. Complying with the PCI DSS is not a feat that can be conquered overnight; it is an IT project.

**
PCI Compliant graphic borrowed from Nettitude (credit https://www.nettitude.com/a-guide-to-starting-the-pci-dss-process/)

THE VIEW FROM ABOVE: QIR Customer Experience Highlights

To maintain their certification, QIR companies are held accountable for the impact they have on the security of the cardholder data environment as they work to uphold the Payment Card Industry Security Standards Council (“PCI SSC”) Code of Professional Responsibility. Over the course of the last year, RDS has made major investments related to meeting the new QIR qualification and implementation requirements. Trained by the PCI SSC, RDS employees perform Qualified Installations every day in accordance with the QIR Program.

The diagram above shows the Qualified Installation process and parties involved. (diagram credit PCI-SSC)

The PA-DSS Implementation Guide is prepared by the software application vendor, such as NCR, and passed to the QIR Company (RDS). The QIR qualified employee uses this vendor-provided PA-DSS Implementation Guide, QIR Implementation Statement Instructions, and their knowledge of the PCI DSS, when implementing the payment application software into the merchant’s environment.

Throughout each stage of the implementation, the QIR employee documents details related to the install and PCI DSS on an Implementation Statement. This document provides a record of their work with a checklist of implementation/functionality items for the QIR employee to test and sign off. Within 10 business days of the installation, the QIR installer reviews the completed Implementation Statement for Quality Assurance. Once the document is signed off, the customer receives a copy for their records. To ensure continuing process improvements, the customer is invited to share their experience through a survey located on the PCI SSC website. The QIR Feedback Form serves as a tool for the PCI SSC to validate the performance of the QIR Company, in accordance with the QIR Program Requirements, through the customer’s experience.

RDS appreciates our customers’ feedback and can help guide and assist you as needed on your PCI Compliance journey. If you have any questions about our QIR Program, please email: compliance@rdspos.com.

QIR and The Small Merchant

Did you know that 60% of small businesses go under within 6 months of a cyber attack*? According to industry research**, restaurants and retail small business merchants make up the biggest portion of total known breaches, and only about 20% are compliant with the Payment Card Industry Data Security Standards (PCI DSS).

In credit card processor speak, small business merchants fall into the Level 4 merchant category. As such, they are required to adhere to the PCI DSS and to demonstrate Payment Card Brand specific compliance annually. Failure to do so results in penalties by the processor. Merchants have seen many changes to their credit processor validation requirements over the last several years between updates to the PCI DSS, hardware, and the recent VISA Qualified Integrator and Reseller (QIR) mandate.

Last year VISA issued a QIR mandate to Level 4 merchants and were given a deadline of February 2017 to begin utilizing only PCI Security Standards Council (PCI SSC) qualified QIR Companies for Point of Sale activities, or pay a fine. This is the first mandate of it’s kind, and other payment card brands are anticipated to follow suit in the near future. The mandate is meant to alleviate compliance risk during implementation and ongoing maintenance support of point of sale systems. By using organizations that have completed the PCI SSC QIR qualification, merchants improve security by ensuring that point of sale systems are installed and integrated in a manner that facilitates the merchant’s PCI DSS compliance and ultimately reduces risk.

RDS has over 130 QIR qualified technicians and is dedicated to cultivating internal PCI DSS awareness and serving as a resource to guide our customers throughout their PCI Compliance journey. As a QIR Company, RDS only installs and maintains PA-DSS validated payment applications and implements data security into every facet of business operations, from the implementation of point-of-sale systems, to keeping our employees trained and up-to-date with the latest security standards.

In the POS industry since 1950, RDS has continuously adapted and grown through many changes providing smarter products and support to our clients year after year. This includes cultivating PCI DSS compliant processes and environments to serve as an advisor to our clients. RDS is proud to have over 130 employees QIR qualified to conduct Qualified Installations and assure compliance with the PCI DSS.

*Cyber Security Statistics – Numbers Small Businesses Need to Know, Jan 3, 2017, Small Business Trends (https://smallbiztrends.com/2017/01/cyber-security-statistics-small-business.html)

**Verizon 2015 PCI Compliance Report
Visa graphic borrowed from PCI SSC (credit www.pcisecuritystandards.org)

Crazy Bowls & Wraps Selects PAR’s Cloud-Based Brink POS® Software

Solution also includes Brink Online/Mobile Ordering and PAR EverServ® Terminals

New Hartford, NY- July 27, 2017 – ParTech, Inc. (PAR), a leading global provider of point of sale (POS) and workforce efficiency solutions to the restaurant and retail industries, announced Crazy Bowls & Wraps has selected PAR’s Cloud-Based Brink POS® Software and EverServ® 500 and 550 terminals for all 16 locations, with plans to expand with additional new store openings this year. Crazy Bowls & Wraps serves fresh, real food that is made from scratch daily.

ParTech, Inc. is a wholly owned subsidiary of PAR Technology Corporation (NYSE: PAR).

Crazy Bowls & Wraps was using a legacy point of sale solution, which made it difficult to implement back of house applications that integrated with above-store accounting, operational, and human capital systems. It was also extremely labor intensive to perform menu and price changes, as each location required individual updates performed by management. Efficiently analyzing customer and transactional information was a challenge, as well.

“With the capability of cloud technology today, we started searching for a solution that gave us remote management from anywhere, with a partner that could be there for us locally as we continue to expand our brand,” said Keith Kitsis, Founder, Crazy Bowls & Wraps.

RDS St. Louis, a value-added reseller, facilitated the process to identify the best solution for their needs.

The Brink solution, a cloud-based enterprise management system, will enable Crazy Bowls & Wraps to centrally control and deploy updates to all 16 locations, integrate with the current and future above-store systems, and position Crazy Bowls & Wraps for growth.

RDS and PAR have provided great insights and support in the seamless transition of the new system and the growth of our omni-channel presence, providing our customers more ways to “go for the good.” From the store to the office, we have been pleased in the ease of use and expandability the product offers,” added Kitsis.

Crazy Bowls & Wraps is seeing improved customer engagement by offering them a best in class omni-channel experience from Brink’s online and mobile ordering platforms, and investigating the comprehensive loyalty solution. Although they are early in the process of implementing this, they are seeing great potential in both incremental revenue and speed of service improvements.

“We are excited to have Crazy Bowls & Wraps select Brink for all locations. Brink was designed to be  forward thinking and with the end user in mind, resulting in an easy to use and quickly adoptable solution,” said Paul Rubin, Chief Strategy Officer, ParTech, Inc. “With Brink online ordering and loyalty in place, guests will have a more engaging experience, and a more convenient and accessible way to order their favorite CBW dishes.”

“RDS is proud to have the opportunity to partner with Crazy Bowls & Wraps in providing PAR’s cloud-based Brink POS Software,” said Chris Cutting, General Manager, Retail Data Systems of St. Louis (RDS). “With the solution’s robust reporting and remote management capabilities, it addressed the issues that were once faced with their traditional, legacy systems. It is exciting to see CBW grow and offer the best possible experience for customers with online ordering and loyalty options. “

ABOUT CRAZY BOWLS & WRAPS

Crazy Bowls & Wraps opened its first store in St. Louis, MO in 1994. While CBW has continually evolved and expanded over the years, they continue to serve fresh, real food that is made from scratch daily. By making it easier to enjoy delicious, fresh ingredients, CBW helps people feel good about themselves and the world we share. For more information and a list of locations, visit http://crazybowlsandwraps.com/.

ABOUT RETAIL DATA SYSTEMS (RDS)

Retail Data Systems is the largest provider of Point of Sale Hardware and Software in North America. Founded in 1950, RDS now operates over 25 offices serving customers across the nation providing complete Point of Sale technology. Their team of over 400 professionals assure customers of the best 24/7/365 service available. Their list of industry leading POS hardware and software products provide a variety of solutions for companies large and small. For more information, visit http://www.rdspos.com/.

ABOUT PAR TECHNOLOGY CORPORATION

PAR Technology Corporation’s stock is traded on the New York Stock Exchange under the symbol PAR. PAR’s Restaurant/Retail segment has been a leading provider of restaurant and retail technology for more than 30 years. PAR offers technology solutions for the full spectrum of restaurant operations, from large chain and independent table service restaurants to international quick service chains. Products from PAR also can be found in retailers, cinemas, cruise lines, stadiums and food service companies. PAR’s Government segment is a leader in providing computer-based system design, engineering and technical services to the Department of Defense and various federal agencies. For more information, visit https://www.partech.com/ or connect with PAR on Facebook and Twitter.

Software 4 Retail Solutions Releases S4Vision For Unified Customers

Software 4 Retail Solutions has released S4Vision for Unified Grocers customers participating in Unified’s “Scan Advantage” store data and analytics program. S4Vision is a self-service business intelligence platform that accumulates and analyzes real-time point-of-sale (POS) transaction data, giving store owners and managers actionable reporting and analytics on their desktop, tablet or smartphone.

S4Vision connects store managers directly to high-level summaries of trends and performance, with detailed drill-down whenever and wherever they need it, Software 4 Retail says. Managers can see chain and store real-time sales, with period-over-period trends including metrics such as customer count, basket size, average retail and items per basket. They also can dive deeper into department sales and metrics to examine strong or under-performing areas of the business. The platform provides daily projections to help managers anticipate product demand and customer visits.

S4Vision’s capabilities include measuring key performance indicators such as open department sales, no sales, refunds and voids so managers can track store labor and prevent loss. Real-time alerts are issued for abnormal activity and performance. Additionally, customer traffic can be measured against cashier labor to validate labor schedules.

“We are very pleased to be a preferred technology partner with Unified Grocers,” said Rick Goertzen, GM of Software 4 Retail Solutions. We’re confident that Unified’s retailers will enjoy the convenience and control of having S4Vision’s real-time data and analytics in the palm of their hands, and quickly see increased performance and sales growth storewide.”

Brian Legate, manager of retail analytics at Unified Grocers, said, “We’re delighted to add S4Vision to our suite of mobile offerings to help our independent retailer customers better compete and grow in their marketplaces. S4Vision is well-suited for helping our retailers take full advantage of Unified’s Scan Advantage program and all that it offers.”