Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Point-of-Sale System Bought On eBay Yields Treasure Trove of Private Data

Soulskill posted about 2 months ago | from the low-hanging-fruit dept.

Security 68

jfruh writes: Point-of-sale systems aren't cheap, so it's not unusual for smaller merchants to buy used terminals second-hand. An HP security researcher bought one such unit on eBay to see what a used POS system will get you, and what he found was disturbing: default passwords, a security flaw, and names, addresses, and social security numbers of employees of the terminal's previous owner.

cancel ×

68 comments

Sorry! There are no comments related to the filter you selected.

I hope this surprises no one,.. (4, Interesting)

Selur (2745445) | about 2 months ago | (#47484511)

I bet 90% of all small businesses still have no real clue data security and about the amount of data their printers, cash registers,.. still contain.

Re:I hope this surprises no one,.. (4, Insightful)

Anonymous Coward | about 2 months ago | (#47484623)

When someone goes out of business and liquidates (is forced to liquidate) their capital assets, they're not going to give a crap about what data might be left on these devices.

Re:I hope this surprises no one,.. (1)

Anonymous Coward | about 2 months ago | (#47484715)

In theory, the bankruptcy attorney and the auction house is tasked with zeroing out the machine. However, even though some computers have a feature to zero hard disks (even if it is deleting and rebuilding an array from scratch, zeroing out all data that is unused), this can be obscure to impossible to find on most hardware.

Of course, this is something that might affect people big time if a major cloud provider goes bankrupt. The servers get sold, and just like the point of sale machine, the data gets accessed by another party, and because there are no contract or trade secret protections, the party with the data has complete control of it. A multi-terabyte torrent on TPB? Nothing anyone can do legally about that.

Re:I hope this surprises no one,.. (4, Informative)

mythosaz (572040) | about 2 months ago | (#47484745)

Restaurant fails to pay the lease.

Landlord slaps a new lock on the door.

Equipment is sold to a restaurant supply reclamation company, of which any city of any size has.

Supply company puts their crap on eBay.

Re:I hope this surprises no one,.. (1)

Wootery (1087023) | about 2 months ago | (#47484793)

A restaurant supply reclamation company should surely have the expertise and the responsibility, no?

Re:I hope this surprises no one,.. (1)

BitterOak (537666) | about 2 months ago | (#47484839)

A restaurant supply reclamation company should surely have the expertise and the responsibility, no?

Responsibility to do what? It's not their data nor their customers data on the stuff they're selling. They're just a buyer and seller of goods. As long as the equipment is not stolen and is in good working order when supplied to their customers they've met their responsibility. I'm not aware they have any responsibility to the former owners or their employees at all. Correct me if I'm wrong, though, I'm not a lawyer.

Re:I hope this surprises no one,.. (4, Interesting)

Jiro (131519) | about 2 months ago | (#47485041)

By that reasoning if the restaurant supply reclamation company instead found equipment contaminated with bacteria, and sold the equipment, and people got sick and died from it, they likewise wouldn't have any responsibility. Equipment that poses a threat to people because it spreads private data is not really all that different from equipment that poses a threat because it spreads disease.

(Which is not to say that it's legally the same, of course.)

Re:I hope this surprises no one,.. (0)

Anonymous Coward | about 2 months ago | (#47485481)

By that reasoning if the restaurant supply reclamation company instead found equipment contaminated with bacteria, and sold the equipment, and people got sick and died from it, they likewise wouldn't have any responsibility. Equipment that poses a threat to people because it spreads private data is not really all that different from equipment that poses a threat because it spreads disease.

(Which is not to say that it's legally the same, of course.)

If you buy a knife or a rusty scalpel from a store and you don't wash it before using it to prepare food or perform surgery... The knife store is not the party at fault.

Re:I hope this surprises no one,.. (1)

tk2x (247295) | about 2 months ago | (#47485499)

Yes, the reasoning stands. The new owner of the equipment has a duty to sanitize the equipment before using it for commercial food service and selling things to the public that touch it. Not the supply company.

Re:I hope this surprises no one,.. (1)

FatdogHaiku (978357) | about 2 months ago | (#47485503)

You would buy and use food prep equipment without cleaning it? I wouldn't even do that with a yard sale coffee cup that looked spotless. Even brand new food prep equipment has instructions to say wash before use. If restaurant "B" obtains something from defunct restaurant "A" and then deploys it without cleaning it, the equipment seller is not to blame... same as if new equipment were involved and the contaminant was industrial oil. The party using the item is responsible for the cleanliness of the item, ask a health inspector...
Data is a different story, with different liabilities that would get sorted on a case by case basis.

Re:I hope this surprises no one,.. (0)

Anonymous Coward | about 2 months ago | (#47486669)

Well, the direction of harm is opposite though, which is kinda relevant.

Re:I hope this surprises no one,.. (1)

Wootery (1087023) | about 2 months ago | (#47486721)

Supply reclamation. Not just a broker. Not just a trader. Someone who specialises in dealing with these products coming from failing companies. I don't agree that they're 'just a buyer and seller'.

Re:I hope this surprises no one,.. (1)

mythosaz (572040) | about 2 months ago | (#47485321)

You're kidding, right?

Said reclamation company is a warehouse downtown filled with commercial deep fryers, cold-cut-slicers, and an endless pile of banquet chairs.

[It's a great place to buy a sturdy table for cheap...]

Re:I hope this surprises no one,.. (1)

Wootery (1087023) | about 2 months ago | (#47486737)

You're just emphasising that they don't make the effort. That doesn't mean I'm wrong to suggest they should. I'm open to being convinced otherwise, but this doesn't strike me as a compelling argument.

Re:I hope this surprises no one,.. (1)

niftymitch (1625721) | about 2 months ago | (#47487685)

Restaurant fails to pay the lease.

Landlord slaps a new lock on the door.

Equipment is sold to a restaurant supply reclamation company, of which any city of any size has.

Supply company puts their crap on eBay.

This tells me that the point of sale equipment is flawed to a
degree that risks civil action. As bad as they are modern
routers must be reset if the password is lost and as a minimum

Payment Card Industry (PCI) Data Security Standards need to
address this. Please call your IEEE favorite standard person....

Re:I hope this surprises no one,.. (1)

BitterOak (537666) | about 2 months ago | (#47484821)

When someone goes out of business and liquidates (is forced to liquidate) their capital assets, they're not going to give a crap about what data might be left on these devices.

And even if they do give a crap, they might not be able to do anything about it. It is not uncommon in bankruptcy or liquidation proceedings for property to be seized immediately in order to prevent the (former) owners from carting off all the valuable goods and hiding them, possibly selling them off at a much later time. Businesses can be locked up and chains put on the doors to prevent the owners from looting the place before their inventory can be assessed. This could very well prevent even a security conscious business from deleting private data from systems before they're taken and sold off.

Re:I hope this surprises no one,.. (1)

K. S. Kyosuke (729550) | about 2 months ago | (#47485065)

Unless the local legislation requires handling personal data in a specific way and preventing a business from wiping it after ceasing its operations could be viewed as illegal (and so could simply taking computer systems with the data still on them).

Re:I hope this surprises no one,.. (1)

ShanghaiBill (739463) | about 2 months ago | (#47484859)

they're not going to give a crap about what data might be left on these devices.

Nor should they, because useful private data should never be stored on them in the first place. My name, address, and phone number are not private. Anyone can get them from the phone book or other public sources. So the only "private" information mentioned is the SSN. So the real solution is to get rid of the idiotic notion that SSNs are a "secret", and to ban their use as authentication keys. Then they can be published in the phone book, along side the name, so you know you are dialing the right "John Smith". Problem solved.

Re:I hope this surprises no one,.. (1)

Major Ralph (2711189) | about 2 months ago | (#47484933)

Interestingly enough, SSNs were never supposed to be used for identification/authentication keys. My father still has an old card that still has "Not to be used for identification" printed on it.

Re:I hope this surprises no one,.. (1)

ShanghaiBill (739463) | about 2 months ago | (#47485001)

Interestingly enough, SSNs were never supposed to be used for identification/authentication keys. My father still has an old card that still has "Not to be used for identification" printed on it.

The "Not to be used for identification" refers to the card, not the number. It is just saying that a Social Security card is not an identification card.

There is nothing wrong with using SSNs for identification. The government does it. The government also requires businesses and financial institutions to use SSNs to identify their employees and customers. The problem is the idiotic notion that SSNs can be both widely known (used for identification) and secret (used for authentication). Mere knowledge of my SSN should not, in any way, "prove" that I am me.

Re:I hope this surprises no one,.. (1)

ottothecow (600101) | about 2 months ago | (#47485529)

Yup. People should really think of SSN's as glorified names. That's all they are really supposed to be: a non-duplicative name, a unique key, an identifier that nobody else shares.

In fact, an authentication tool doesn't have to be unique. If you had a password associated with your SSN, who would care if both 123-45-6789 and 987-65-4321 had the same password? For all you know, your next-door neighbor could use the exact same gmail password as you and nobody would never know.

Asking people to verify their SSN as a way of determining their identity is a step above asking them to spell their last name. Sure, if they don't know their last name, they are probably not the person they say they are, but that doesn't automatically mean the converse is true.

Re:I hope this surprises no one,.. (-1)

Anonymous Coward | about 2 months ago | (#47485249)

They would care if the Republicans would stop obstructing reasonable data privacy laws. If we started putting these wealthy business owners in prison, then they would start paying attention to all of the ways that they illegally screw over their slaves. Of course since the Republicans control the police, as far as I know, there has never been an arrest of one of their kind.

Re:I hope this surprises no one,.. (0)

Anonymous Coward | about 2 months ago | (#47485543)

From one AC to another, that has to be the most stupid-assed comment I have ever read on this site. Go post on Huffpo or Salon until you learn to reason a little. Oh, by the way, I'm a Democrat. You are not a Democrat, you are a loon.

Re: I hope this surprises no one,.. (0)

Anonymous Coward | about a month ago | (#47488167)

As another AC to you....the words chosen might have been a bit strong, but the description is fairly accurate as far as reality goes.

Small business owners (4, Insightful)

sjbe (173966) | about 2 months ago | (#47484749)

I bet 90% of all small businesses still have no real clue data security and about the amount of data their printers, cash registers,.. still contain.

As someone who has spent many years consulting to small businesses I can tell you that you are being too conservative. 99% is probably closer to the mark. Nearly all small business owners are clueless regarding data security and frankly don't really have the time to worry about it either. Running a small business is a hugely time consuming endeavor and dealing the the nuances of data security is a luxury most do not have time for. Shoot, you'd be terrified at how many of them don't even bother to back up key data like their accounting software.

I run a small business myself and while I'm more aware than most about our security I don't really have time to deal with all of it. At some point you sometimes simply have to live with a certain level of risk until you have the resources to address things properly.

Re:Small business owners (1)

Threni (635302) | about 2 months ago | (#47484835)

I think businesses will find time to focus on security when fines for leaking customers details bankrupt them.

Re:Small business owners (1)

pupsocket (2853647) | about 2 months ago | (#47485667)

The research was not about the scandal of data left behind. That data proved to be an excellent fossil showing a business running an insecure system without basic protections, failing even to install security updates for seven years.

This, though, only confirms your own account and probably falls well within the known range of shortcomings.

So ...

Doesn't HP, for whom the author of this report works, compete with sellers of point-of-sale systems, which have become default inventory and accounting systems for many small businesses?

After all, this is not a story about how data was actually used in a crime. The article: "Even second-hand POS systems aren't cheap, so it's unlikely that cybercriminals would spend hundreds of dollars on a chance that a few contain personal data." The businesses who use the system are not directly harmed, are probably defunct, and don't have IT expertise in house.

If there were headlines about this method being used or complaints from banks and law enforcement, it would not be necessary to issue this report.

Just a guess, but I'd say that only insurance companies, card clearance companies, and governments have a stake here, and they are the intended audience. They have the clout to ban resales, or at least to erect high barriers to resale involving certified wiping and refurbishment, which would help sales of new systems and create new opportunities for service charges.

Re:Small business owners (2)

sjbe (173966) | about 2 months ago | (#47486045)

That data proved to be an excellent fossil showing a business running an insecure system without basic protections, failing even to install security updates for seven years.

You will find that the majority of small businesses fit that description. The company I work at right now has about a dozen computers. Before I got there ALL of them hadn't seen a security update in at least 5 years, the server wasn't being backed up, there was no firewall or antivirus to be found, the company books were done on a spreadsheet, etc. And they were better than many. I've consulted with probably 20-30 small businesses in the last 10 years and maybe 3 or 4 handled their computer security and data in even a moderately safe manner. Some I'm amazed they are still in business at all. Remember that the next time you say you want to support small business. (and then do it anyway!)

Re:Small business owners (0)

Anonymous Coward | about 2 months ago | (#47491871)

Does HP sell POS devices? Perhaps they should take this as a lesson and sell devices that are secure out-of-the-box, and can't really be configured to not be secure.

Design it into the hardware that the devices can't even be used without setting up a password. In fact, generate the password for the user on reset/initialization so it's properly random.

The devices must be secure not to protect the businesses as much as the customers, so this is one area where there probably should be some regulation and/or standards. Resales shouldn't be a problem for properly designed devices.

Re:Small business owners (1)

Concerned Onlooker (473481) | about 2 months ago | (#47485731)

"At some point you sometimes simply have to live with a certain level of risk..."

The problem is, the risk isn't yours. It's on the people whose private data you've leaked to the world. This just happened to me. My former employer (of about 8 years ago) had his laptop stolen while on location. Names, SSN's and who knows what else from former employees were all on that laptop. No encryption I assume. I got an email of warning but I'm too angry to make contact for more information.

Yes the risk is mine too (1)

sjbe (173966) | about 2 months ago | (#47485831)

The problem is, the risk isn't yours.

Sure it is. If any of my customers and/or employees found out that I had leaked their sensitive data then I would not only loose that customer/employee I would likely find our company at the pointy end of a lawsuit. (and rightly so) Given that our customers are mostly large companies I assure you that we cannot afford to piss them off. We take reasonable precautions but there are security holes that I'm aware of that the risk/reward ratio do not even come close to being justified. If a serious criminal targeted our systems and had the resources to do it right there isn't much I really can do to fend them off. We just aren't a big enough target to bother with.

Now in our case we don't deal with credit cards or social security numbers on a computer etc so the risk of someone getting sensitive data from us is fairly minimal. You'd have better luck rooting through our trash than our servers.

Re:I hope this surprises no one,.. (1)

Charliemopps (1157495) | about 2 months ago | (#47484871)

I bet 90% of all small businesses still have no real clue data security and about the amount of data their printers, cash registers,.. still contain.

more importantly, when they're selling their POS it likely means they've gone out of business and simply don't care at that point.

Re:I hope this surprises no one,.. (0)

Anonymous Coward | about 2 months ago | (#47484969)

PCI data issues abound in any system with a HD. Where I work we use remote boot diskless cash registers.
But don't worry the big POS development houses are busy trying to crush this practice with their requirement for HD in the systems.

Re:I hope this surprises no one,.. (1)

Lumpy (12016) | about 2 months ago | (#47485267)

A friend bought a pallet of computers from an auction back in 1998. on the pallet we had computers from NASA and the DOD as well as other govt locations and many of them still had the hard drives in place. the NASA computer came with a box that was filled with floppies of all their software for satellite solar panel design and testing. There was also a Cromemco minicomputer that still had it's 8" hard drive and a TON of emails left in it (cracking the root password was trivial with an OS boot floppy) from all 10 users on the system.

This has always been an issue with anything sold by companies or government.

Default Passwords? (4, Funny)

mythosaz (572040) | about 2 months ago | (#47484527)

It's hard to imagine that used equipment was sold with the default password...

I always include employee data, but I make the new purchaser guess my password.

meh, they're retail workers (1, Insightful)

jehan60188 (2535020) | about 2 months ago | (#47484561)

These are restaurant/retail workers. Society has already s*** all over them, so they shouldn't be surprised this happens to them.

Serious note: Small businesses (such as Target, or New York City) aren't good at data security.

Re:meh, they're retail workers (1)

Pope (17780) | about 2 months ago | (#47484585)

Since when is Target a "small business?"

Re:meh, they're retail workers (1)

Sowelu (713889) | about 2 months ago | (#47484621)

or New York City for that matter...

Re:meh, they're retail workers (2)

jehan60188 (2535020) | about 2 months ago | (#47484665)

since i like to use sarcasm to drive home a point.
the point being- big or small, not enough people care enough about security.

Re:meh, they're retail workers (0)

retchdog (1319261) | about 2 months ago | (#47484683)

since i like to use sarcasm to drive home a point.

you don't have a point.

Re:meh, they're retail workers (2)

idontgno (624372) | about 2 months ago | (#47484729)

I think his point is that you don't understand sarcasm.

Or, in the vernacular, "Whoosh!"

Re:meh, they're retail workers (-1)

Anonymous Coward | about 2 months ago | (#47486121)

God damn, you're a stupid little nigger faggot.

No Need to Hack (0)

Anonymous Coward | about 2 months ago | (#47484639)

No need to hack and break the law just buy used comercial computers.

It's not really a treasure trove (1)

mveloso (325617) | about 2 months ago | (#47484767)

He didn't really get a treasure trove. He got some stuff that was sort of interesting, and maybe unfortunate.

It's not like he got every transaction of everyone who's used the system, their names, addresses, passwords, credit cards, security questions, etc.

Re:It's not really a treasure trove (1)

jehan60188 (2535020) | about 2 months ago | (#47484791)

i don't know, $200 for a handful of SSNs? He could probably get a $1000 CC for each SSN.
After laundering, he'll at least double his money if there's just one valid name/SSN/birthday on there.

Re:It's not really a treasure trove (1)

itsenrique (846636) | about 2 months ago | (#47484943)

Those SSNs are valuable to tax fraud "drop" scammers.

Re:It's not really a treasure trove (0)

Anonymous Coward | about 2 months ago | (#47486205)

And run a very high risk of going to federal prison. Moron.

Re:It's not really a treasure trove (1)

PraiseBob (1923958) | about 2 months ago | (#47486311)

Do you think waitstaff have great credit scores? Most don't even have bank accounts, much less any way to get credit cards. That's not exactly the most lucrative job to target for identity theft.

Yeah, that happens... (1)

MindPrison (864299) | about 2 months ago | (#47484781)

...I just delete it though, I have absolutely NO NEED for peoples personal data. Maybe NSA does, but the average Joes (small businesses included) have NO need for these, it's material for the local newspapers though. OOOOH...security break, someone sold an unwiped harddisk and someone else took notice instead of formatting it.

Re:Yeah, that happens... (1)

Cardoor (3488091) | about 2 months ago | (#47484941)

What this world is coming to is for you and me to decide. </douchey-grammar-cop>

Re:Yeah, that happens... (1)

MindPrison (864299) | about 2 months ago | (#47485145)

What this world is coming to is for you and me to decide. </douchey-grammar-cop>

Sure, thanks. Changed!

Re:Yeah, that happens... (1)

Cardoor (3488091) | about 2 months ago | (#47485191)

np :)

Re:Yeah, that happens... (1)

Cardoor (3488091) | about 2 months ago | (#47485213)

not that this matters at all to anyone, except people like me who have the pet-peeve... but..

a good way to determine if you should you I or Me is to eliminate the other person in the sentence (confusion always happens because it's someone and Me/I... not when its just me/i... so if you drop the other person, and then say it, it becomes clear... ie:
what this world is coming to is for I to decide

what this world is coming to is for me to decide
now it sort of becomes obvious as to which sounds right

neat, right?

Re:Yeah, that happens... (1)

MindPrison (864299) | about 2 months ago | (#47485309)

Very, thanks for the tip. I'll remember that!

SSN on POS? (1)

Anonymous Coward | about 2 months ago | (#47484783)

Why were employee Social Security Numbers(SSN) on a Point of Sale(POS) machine?

Re:SSN on POS? (4, Informative)

GameboyRMH (1153867) | about 2 months ago | (#47484819)

An excellent question.

I'm betting this POS machine was basically a full-blown PC hooked up to a cash drawer. It seems to be a popular setup with small businesses (I'm guessing actual cash registers cost a lot - and they're certainly not as versatile).

A hardware store and a couple car parts stores near my house have this setup. The car parts stores use them for parts info lookup as well. Maybe this machine was also holding the HR files.

Re:SSN on POS? (2)

aviators99 (895782) | about 2 months ago | (#47484891)

Full-featured POS systems can handle things like payroll, invoicing, inventory/food ordering, bill payment, appointment reminders for customers, etc.

Re:SSN on POS? (3, Informative)

Fnord666 (889225) | about 2 months ago | (#47485109)

Full-featured POS systems can handle things like payroll, invoicing, inventory/food ordering, bill payment, appointment reminders for customers, etc.

Yep. They're called Integrated Payment Platforms or Integrated Payment Systems and they're all the rage right now.

Re:SSN on POS? (0)

Anonymous Coward | about a month ago | (#47491077)

They're everybody's favorite single point of failure. Seriously though, my grandparents owned a small business and they didn't have time to fool around with computers, they needed them to just work. They would have changed the password, but that's about it.

Re:SSN on POS? (2)

tlhIngan (30335) | about 2 months ago | (#47485147)

I'm betting this POS machine was basically a full-blown PC hooked up to a cash drawer. It seems to be a popular setup with small businesses (I'm guessing actual cash registers cost a lot - and they're certainly not as versatile).

No, cash registers (the dumb kind) are fairly cheap things - a few hundred bucks tops.

The problem is, the dumb registers don't do more than record sales and all that.

The fancy PC based ones do tons more - they integrate with a backend inventory system to update real-time inventory counts, integrate with ticketing systems so customer orders can be entered in and it gets kicked out to the kitchen with no fuss (handy for restaurants - they key in the order at the front, and the kitchen gets it automatically), etc.

I'm guessing they also can handle time card and time tracking for the cashier currently logged in.

Auto parts stores also integrate into it a vendor inventory query system so they can place orders for parts with vendors right when the customer orders the product, and it'll keep track of customer details so when the part is scanned in, it can be linked back to who ordered it and all that.

And then there's the POS terminal that often is used to scan in parts that arrive - e.g., a bunch of new inventory comes in, anyone can go and scan it into the system and update the transit and on hand counts.

Re:SSN on POS? (1)

drinkypoo (153816) | about 2 months ago | (#47485697)

Auto parts stores terminals are literally acting as terminals in most cases, though. There's one machine in the store that's real, everything else is just there to display a GUI. This is increasingly true for anyone who has more than a couple of terminals, including supermarkets and hardware stores. Meanwhile, your community miniature market will probably still have a mechanical time clock, or something digital which is designed to behave just like one, and a dumb register that can't handle anything more complicated than tax schedules. It's small retail shops where I see the all in ones

Obligations to card holders (1)

Anonymous Coward | about 2 months ago | (#47485095)

In order to process credit cards, the restaurant has an obligation to the credit card companies to secure card data under a standard called PCI. PCI does have a secure deletion requirement. I had to write a secure delete utility to get rid of PAN data.

If a company goes out of business, I doubt anybody's gonna care about that. So if you're a restaurant owner don't use a thick client architecture like Aloha where years of customer data resides on the poor Windows terminal. Windows was never meant for that. Instead use a different type of architecture where the Windows box is treated as the untrustworthy thing it really is and sensitive data is securely stored remotely at a secure facility controlled by the POS vendor.

You don't have to worry about that with Sears. (1)

Kaenneth (82978) | about 2 months ago | (#47485357)

I recently visited my local Sears store, and noticed they still had the same registers from 1990, when I worked for them.

Re:You don't have to worry about that with Sears. (0)

Anonymous Coward | about 2 months ago | (#47485451)

Better than that. Some Sears stores have new tablet POS systems with barcode scanners. Great, right? Unless you want to pay cash. The cashier has to generate and transfer a unique transaction ID from the tablet to the old register. Very slow....

Re:You don't have to worry about that with Sears. (1)

Anonymous Coward | about 2 months ago | (#47485495)

If it works... don't fix it. I've yet to hear about horrid Sears breaches.

Done right, I don't see what is wrong with a 3151/3153 terminal [1], a card reader/card terminal (for chip and PIN), a UPC scanner, and maybe a cash drawer. Keeping the data on a central server isn't too bad an idea these days.

I wonder why more larger stores just have the bare essentials at the terminal. Enough IQ to handle Chip/PIN [2], scan stuff with a barcode/QR scanner, open or close the cash drawer, deactivate anti-theft tags, and allow the user to sign on a screen. However, beyond that, nothing else. Ideally, the register would be completely diskless [3], so if it disappears, it is about as useful to a thief as stealing a monitor or keyboard.

[1]: Sears uses/used to use RS/6000s/pSeries/POWER machines (the name depends on the vintage) as their main backend machines. Although not as snazzy/hip as an x86 server with the latest Windows operating system and the Web language do jour, these machines worked, and worked extremely well.

I have made some LPARs (logical partitions/vms) that were just for log archiving (where they would take syslog requests, shove them into Splunk, then let the enterprise backup program archive and delete the files.) You can actually remove root (where UID 0 is just another user.) Of course, it means rebooting that LPAR and mounting its root volume group on another instance to do updates and such... but it does make it extremely hard to attack that LPAR normally.

[2] Coming US-wide in 2015 unless the merchant is confident enough to eat losses themselves.

[3] Diskless machines booting from the network isn't new either. These days, this is easy to do... PXE boot an iSCSI shim, and one is off and running.

It's kind of telling that... (1)

jd2112 (1535857) | about 2 months ago | (#47485959)

One of the more popular point of sale systems on the market is called RealPOS

Re:It's kind of telling that... (1)

gnu-sucks (561404) | about 2 months ago | (#47486473)

I hear that system is a real POS.

I got someting like this (1)

bobjr94 (1120555) | about 2 months ago | (#47486133)

A dentists office bought all new workstation computers, they are friends with my boss and gave him the old computers to see if we could use them or give them away. The were password protected, so I downloaded an easy to find password reset cd from a pirate site, cleared the passwords and booted it up. While it did not have detailed patient information (that was still on their server) it had many patient pictures showing work they have done, word documents with patient names and addresses saying what work was done and the amount due, or now past due and other random letters. It would have been easy for some scammer to go though the word files, call or mail the patients that were late paying, saying they were a collections agency and if you pay me 50% now Ill clear your record.
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>