Verifone May Have Been Exposed To Hackers

by Raymond Pucci 0

Loyalty Program

No company or POS location is safe from hackers and potential security breaches. According to the following article, payment terminal maker Verifone may have been the target of a security hack at some U.S. gas station/convenience stores.

A day after reports surfaced that payments company Verifone was probing a potential breach of its internal systems and attempted attacks on some affiliated point-of-sale (POS) systems, the company has soft-pedaled the incident, saying in a statement published by The Register that the attempt “was limited to approximately two dozen U.S. gas station convenience stores and occurred over a short time period.” The company contended that “no other merchants were targeted and the integrity of our payment networks and Verifone’s payment terminals remained secure and fully operational.”

Verifone security pros, the statement said, “identified evidence of this very limited cyber intrusion into our corporate network in January 2017, and we proactively notified Visa, MasterCard and other card schemes.” That tracks with a report from Brian Krebs, who first broke the story, that company Senior Vice President and CIO Steve Hornan sent a message to staff as well as contractors on Jan. 23 requesting they change their passwords within 24 hours and saying the company was “applying limitations to End User capabilities on desktops/laptops” that would “take away the end user’s ability to load any additional software on to the device.” Joe Fantuzzi, CEO of RiskVision, said in comments emailed to SC Media that the breach “is clearly indicative of the escalating third-party risk related to POS systems that have plagued the retail sector as well as the ongoing risk” in segments of the financial services industry.

The breach seemed to take a familiar route. “The fact that Verifone asked employees and contractors to change their passwords and restricted their control over their desktops and laptops suggests that the attackers followed the usual path to gain access to critical systems such as payment terminals: exploit different vulnerabilities to take control over the devices and the accounts of people already inside the company,” said Péter Gyöngyösi, Blindspotter product manager at Balabit. The company drew praise for taking fast action. “While it’s hard to know exactly the extent of the breach, it appears that Verifone reacted quickly to change passwords and tighten laptop security controls. Most security experts agree: it’s not if you get hacked, but when,” Willy Leichter, vice president of marketing, CipherCloud, said in comments emailed to SC Media. Verifone contended that its quick response mitigated potential damage from the breach. “We believe that our immediate response and coordination with partners and agencies has made the potential for misuse of information extremely limited,” the company statement said.

Not a lot is publicly known about the circumstances around the possible security breach. However, large merchants and the hospitality industry, especially hotels, have been frequent targets of fraudsters. This may be attributed to the large numbers of employees, ex-employees, and contractors that have or used to have password access to internal systems. Sometimes unattended POS terminals can be susceptible to card data skimming devices as well. Merchant POS systems and their back office servers can never be too safe and require continuous anti-intrusion resources.

Overview by Raymond Pucci, Associate Director, Research Services at Mercator Advisory Group

Read the full story here