Sorry, as much he is responsible but any time a person in some sensitive role leaves the company all the passwords he/she had access are changed automatically for next person in that role. This was in 70's and it has been the rule in all the systems I have designed since then. No exceptions, be it a CEO, developer or one of door guards. Weird? Not too difficult, one role has just a limited access so there are not too many things to change. Now, of course, I do get arguments as what about this and that password? It is vital to use two way passwords, you have an access to system generating / assigning the needed password which will never released to anybody, no need for that. Block the access and good luck trying to find the real password(s). You design that right, remember changing technology / platforms / even languages and it works. Forget politics!

What the hell is wrong with these companies? Why are they saving people's CC#'s? Apparently they can't even be bothered to encrypt them.

Ever heard the word "keylogger"? That is the problem: he was logging all the keys pressed.

Would it be possible to have these kiosks working in a way that remote access is not possible? Would being behind a properly configured router avoid this? Sounds too simple, so it probably is not the case. But I couldn't help wondering (since I had to change some configs in my home router once to be able to SSH into my home computer from work).

PH because this is probably a PH-level question...

It lies squarely with whatever company is involved to keep their public systems secure against these types of crimes. The guy obviously had login credentials sufficient enough to install software and that should never happen without the proper authorities knowing exactly who is logging in at all times. It's not rocket science to update passwords and remove any default ones and assign unique ones only to authorized personnel. How lazy are these companies and do we want to trust their services if they can't do something as simple as that? Oh yeah, they have to pay someone for the time to do it.... forget it.

I guess the former employer has never been introduced to the concept of granting access to _groups_, then adding an employees' account to the group. When the account is removed, access is gone, and no need to scramble around changing passwords. Of course, then they'd have to know how to remotely authenticate...

Probably not. Since he had physical access to the machines, he was able to install the software, which then sends him the information. Firewalls only protect against incoming traffic, not outgoing. Further, if the machines were to initiate an outgoing connection to his machine, he would be able to "shovel a shell" across the connection, turning it in essence into an incoming connection.

When physical access is granted to a machine, all security is considered null and void, or so the saying goes...

"...and I would have got away with it, if it wasn't for those pesky, meddlesome kids."