Waiter—there’s a problem with my meal. Oracle’s widely used Micros Point-of-Sale software for restaurants and retailers has been hacked by fraudsters known to have previously broken into many other payment card systems. According to the following report, the incident was isolated to the Micros platform only and did not compromise other Oracle systems. Users were directed to reset passwords on the affected accounts.
Oracle detected malicious code in certain payment systems used in hospitality and retail, the company said. Details were first reported by cybersecurity writer Brian Krebs on Monday.
All customers of Micros, known for cloud-based tablet and mobile payments for food, beverages and hotels, are being asked to reset their passwords for an online support portal after Oracle found the malicious code in legacy systems, Krebs wrote on his website, KrebsOnSecurity. Oracle’s other cloud and corporate offerings were not affected, and the credit-card data is encrypted, Oracle told CNBC.
“To prevent a recurrence, Oracle implemented additional security measures for the legacy MICROS systems,” Oracle said in a letter to customers given to CNBC. Oracle did not respond to Krebs’ direct question about the breach, he said.
It’s not clear how widespread the hack is and how the attackers gained access to Oracle systems, Krebs reported. But two unnamed sources told Krebs that the hack could be tied to Russian cybercriminals. The sources told Krebs that Micros’ customer-support portal was seen communicating with a server known to be used by the Carbanak gang, which has been tied to one of the biggest banking breaches ever known.
Hospitality and retail payment transactions are targets for hackers as they represent high volumes of personal card data and can go undetected by both merchants and consumers for weeks, if not months. The stolen data will typically be used to make online, card-not-present transactions, where user identity validation is minimal. The anti-fraud battle is now an arms race between the hackers and the expanding security software industry. E-commerce fraud is expected to increase with EMV chip card and terminal transition at US merchants POS, which is why stolen card data still remains a valuable commodity for the hackers.
Overview by Raymond Pucci, Associate Director, Research Services at Mercator Advisory Group
Read the full story here