Channel Register

Comments on: Man siphons info for 300 credit cards from hotel kiosks

And they didn't 

Posted Wednesday 19th December 2007 07:56 GMT

Coat

Sorry, as much he is responsible but any time a person in some sensitive role leaves the company all the passwords he/she had access are changed automatically for next person in that role. This was in 70's and it has been the rule in all the systems I have designed since then. No exceptions, be it a CEO, developer or one of door guards. Weird? Not too difficult, one role has just a limited access so there are not too many things to change. Now, of course, I do get arguments as what about this and that password? It is vital to use two way passwords, you have an access to system generating / assigning the needed password which will never released to anybody, no need for that. Block the access and good luck trying to find the real password(s). You design that right, remember changing technology / platforms / even languages and it works. Forget politics!

Why are the CC#'s being saved?! 

Posted Wednesday 19th December 2007 15:56 GMT

What the hell is wrong with these companies? Why are they saving people's CC#'s? Apparently they can't even be bothered to encrypt them.

CCs 

Posted Wednesday 19th December 2007 17:04 GMT

Ever heard the word "keylogger"? That is the problem: he was logging all the keys pressed.

Question... 

Posted Wednesday 19th December 2007 20:45 GMT

Paris Hilton

Would it be possible to have these kiosks working in a way that remote access is not possible? Would being behind a properly configured router avoid this? Sounds too simple, so it probably is not the case. But I couldn't help wondering (since I had to change some configs in my home router once to be able to SSH into my home computer from work).

PH because this is probably a PH-level question...

I tend to agree with Tuomo 

Posted Thursday 20th December 2007 00:26 GMT

Unhappy

It lies squarely with whatever company is involved to keep their public systems secure against these types of crimes. The guy obviously had login credentials sufficient enough to install software and that should never happen without the proper authorities knowing exactly who is logging in at all times. It's not rocket science to update passwords and remove any default ones and assign unique ones only to authorized personnel. How lazy are these companies and do we want to trust their services if they can't do something as simple as that? Oh yeah, they have to pay someone for the time to do it.... forget it.

netgeek 

Posted Thursday 20th December 2007 01:28 GMT

Coat

I guess the former employer has never been introduced to the concept of granting access to _groups_, then adding an employees' account to the group. When the account is removed, access is gone, and no need to scramble around changing passwords. Of course, then they'd have to know how to remotely authenticate...

Re: J 

Posted Thursday 20th December 2007 02:08 GMT

Probably not. Since he had physical access to the machines, he was able to install the software, which then sends him the information. Firewalls only protect against incoming traffic, not outgoing. Further, if the machines were to initiate an outgoing connection to his machine, he would be able to "shovel a shell" across the connection, turning it in essence into an incoming connection.

When physical access is granted to a machine, all security is considered null and void, or so the saying goes...

How did he get caught? I don't want to make the same mistake... :P 

Posted Thursday 20th December 2007 17:15 GMT

Joke

"...and I would have got away with it, if it wasn't for those pesky, meddlesome kids."