Yeah the whole thing is just crazy. Apparently the systems were accessed through a hidden admin account that firefly had set up for support. It sure sounds a lot like what happened with radiant. Had I been aware of the account I would have changed the password, like I had done with all of the other accounts that they set up with a password of password or 4Phoenix. If you have a FIrefly system that is more than a year or two old, I imagine that is what yours are. Ultimately, I am under the impression that it is not directly a linksys issue, but more to do with how firefly setup the router for their remote support (eg Remote Desktop). All I got from them was well, security of your system is your responsibility. While their is some truth to this, If they don’t provide me with the information to change default passwords, close ports, etc, I can’t do it. Now their big copout is, we told you to upgrade to a VPN router. Oh really, when was that? In an email I never got in 2008 there is a small paragraph that they have a VPN router, but nothing about why it was needed. But again, I never received this email and only am aware of it because they mailed it out with their nice letter. Not to mention that the way they set it up, it wouldn’t pass a security scan. Seems like something that may have deserved a phone call or perhaps an actual letter mailed out. Had I been told, “Our linksys setup is not PCI compliant, we recommend you upgrade to a VPN router to maintain compliance” I would have done it. My whole other issue is that we upgraded the server in January 2011 and did they give us the PCI compliant version of Firefly? The answer is no from what I can tell. This is well after POS providers were required to be PCI DSS compliant. SO I guess you only get the compliant version if you are a new customer?
Sorry for being continuously long winded. My hope is that if the information is out there, it may prevent somebody from going through the same experience I am. And maybe Firefly will acknowledge some accountability.
D