Cyber Security in vending

Francesco Liuzzi, Operations Manager of MatiPay and Fabio Lorenzo, General Manager of BrightCyde, illustrated the topic, offering many practical examples on security in the vending sector.

Brightcyde is a company of Angel Group specialized in cyber security that provides services and supports companies in the phases of design and implementation of infrastructures that require high standards of IT security. It is lead by Fabio Lorenzo, with over 15 years of experience in cyber security consultancy services, gained by assisting clients in various industrial sectors such as: Financial Services, Energy & Utilities, Government and Vending.

The aim of the meeting was to explain the threats and potential problems in the world of vending, illustrate the solutions to protect yourself by improving the level of security and exploiting the latest generation technologies.

The first point concerns money management, in which the operator is involved personally or through third parties. Sometimes frauds can be difficult to prevent, as they include different situations, from the illegitimate appropriation of physical money in transit from the vending machine to the bank, to the theft of bank credentials for the execution of fraudulent transactions.

Furthermore, in recent years, also taking advantage of state incentives, operators have adopted digital tools to take care of the various aspects of their business. IT tools that, despite being of great support for management, represent a risk, if not used correctly or not updated regularly.

To guarantee an adequate level of safety, it is necessary to act on people, processes and technologies. The mere attention to one of these elements is not sufficient to avoid fraudulent episodes. For this reason, it is essential to establish an action plan, within companies, in order to implement the process and technological organizational measures aimed at improving the level of corporate security.

Below we illustrate real Case Studies of the Vending sector, with the aim of creating greater awareness of how important IT security is and how some attacks, even simple to implement, can cause significant damage to companies.

A medium-large vending company with more than a thousand customers receives and sends payments in day-to-day management, including rental charges, also annual ones. One day the company receives an e-mail notice of payment data update from one of the contact persons; the payment is made on the new bank details which, it turns out later, have been sent by a hacker. The latter managed to get hold of the e-mail address of a customer of our victim company, evaluated the resulting opportunities, making full use of them, finally received the money on an IBAN created specifically for this purpose and immediately deleted afterwards.
As it clearly appears, the company in question had not implemented any double check procedure for the data of the counter-parties and the staff involved was not able to distinguish a potential danger. But how did the hacker enter the e-mail account without anyone noticing?

Brightcyde experts confirm that 75% of attacks stem from phishing emails. The “classic” example is represented by the “CEO fraud“. The scheme provides for an email sent by the CEO (false, in reality it is a hacker who pretends to be CEO) asking the Administrative Manager to make an urgent payment on a particular IBAN. The victim, receiving an order from top management, proceeds without asking too many questions. Unfortunately, he will discover, too late, that he was the victim of an attack and that the payment was in fact made to a hacker’s account. Hackers, in constant evolution, are able to produce increasingly plausible emails capable of overcoming even the most solid technological protection barriers.

A company operating in the OCS (Office Coffee Service) sector intercepts a decline in turnover. The customers, who according to the company data should already have needed the refill of the coffee capsules, denied the need and confirmed that they were correctly supplied. In parallel, the accounting department receives customer complaints, due to the notification of modification of payment data (i.e. different IBAN, Bank, etc.). An investigation was launched, and it was discovered that an identity theft was carried out by a competing company, which through an illegal acquisition of customer data and orders, managed to pretend to be the victim company and sell their capsules to the same customers!

In this case there has not been a direct theft of money, but a theft of data that probably caused a more significant damage to turnover. Remedying this type of attack is very difficult, especially when, as in this case, the competitor company is abroad and therefore difficult to reach even from a legal point of view.

How could that happen? How can we protect ourselves?

As we have seen, a hacker broke into corporate systems and downloaded Customer Relationship Management (CRM) data. Having been made public during a data breach, the email and password can be used by intruders for illegal activities. In the most dangerous cases, the disclosure of corporate account credentials can occur, because in addition to having a username and password, hackers can trace the victim’s employer. Some of the employees were a victim of a data breach that allowed hackers to enter corporate systems.

Data breach attacks are very common and could affect any of us. Go check if your mailboxes have been victims of the data breach and change your passwords!

Si potrebbe pensare che il modo più sicuro di evitare gli attacchi hacker sia quello di evitare di utilizzare la tecnologia. Ma come abbiamo visto prima, i rischi esistono sempre, anche in sistemi poco tecnologici. In realtà, i sistemi digitali diventano un supporto indispensabile per la risoluzione di problemi informatici. Nel vending, ad esempio, la telemetria è funzionale per rilevare le attività fraudolente in modo veloce ed efficace.

No system is hacker proof. There is a continuous search for system vulnerabilities by cyber pirates, but also for protection methods by software producers. The commitment is constant on both sides, like an endless game between cops and thieves.

By applying a structured approach to identify risk areas in company operations (such as payments or procurements), it is possible to implement an action plan to highlight weaknesses and strengthen the IT security of a vending company.

It is also important to define concrete and targeted procedures and processes. It is necessary to make the most of the systems already available, such as telemetry, which are an important tool for verifying the adequacy of sales data and for intercepting atypical actions.

Finally, it is strongly recommended to use IT tools to reduce the risk of cyber attacks, such as, but not limited to, anti-spam systems or tools for detecting attacks on the network. Even for vending companies, the best way to protect themselves is to rely on expert companies that combine, on the one hand, the technical skills in the IT security field and, on the other, the business skills peculiar to the vending sector, in order to better support the risk analysis and the focus of remedial measures on the most critical areas for the business.