After Slow Start in 2016, Point-of-Sale Breaches Surging

Last week Eddie Bauer became the latest in a growing string of companies to announce a major point-of-sale-related breach. All 350 North American stores were affected by malware that may have siphoned off customers’ payment card information between January and July of this year.

Not all cardholder transactions were impacted, the company said, and the breach does not include any online transactions; however, the announcement comes during the same month that Oracle MICROS, HEI Hotels & Resorts and several other companies posted similar breach announcements.

The recent surge follows a comparatively quiet period over the first half of 2016, as this chart from our Mid-Year 2016 Cyber Risk Report highlights.

POS
Compared to the large number of POS breaches and chatter in 2014, the past year and a half has been relatively quiet — other than a spike in late 2015 tied to several different hotel breaches, the report said.

“This dip in discussion is accentuated by the extreme number of high-profile organizations affected by POS breaches in 2014, perhaps skewing the perception for what ‘normal’ levels of activity should be,” the report noted. “Point-of-sale breaches are not making as many headlines, but breaches so far this year have proven that for many organizations the associated costs are as high or higher than they have ever been.”

Revisiting that chart a month and a half later, it appears the activity level is now kicking up to match those high costs. SurfWatch Labs has collected more point-of-sale-related CyberFacts in August (through just 21 days) than any other month so far this year.

2016-08-22_POS_Chatter.png
The number of point-of sale CyberFacts collected by SurfWatch Labs has surged in recent months (data through August 21). HEI Hotels & Resorts is the highest trending POS-related target this month after announcing a data breach.

Oracle, Other Vendors Compromised

Adding to the concern around point-of-sale systems, Brain Krebs recently broke the news of a breach of hundreds of computer systems at Oracle, including a customer support portal for companies using Oracle’s MICROS point-of-sale credit card payment systems.

Sources said the MICROS customer support portal has been observed communicating with a server known to be used by the Carbanak Gang. That’s alarming since the gang is suspected be behind the theft of more than $1 billion from financial institutions in recent years.

“This breach could be little more than a nasty malware outbreak at Oracle,” Krebs wrote. “However, the Carbanak Gang’s apparent involvement makes it unlikely the attackers somehow failed to grasp the enormity of access and power that control over the MICROS support portal would grant them.”

The investigation is ongoing, and Oracle so far has not provided customers or media outlets with many answers.

To make matters worse, Forbes’ Thomas Fox-Brewster reported that several other cash register suppliers besides MICROS have been breached recently.

“It now appears the same allegedly Russian cybercrime gang has hit five others in the last month: Cin7, ECRS, Navy Zebra, PAR Technology and Uniwell,” he wrote. “Together, they supply as many as, if not more than, 1 million point-of-sale systems globally.”

Hotels Remain Top Trending POS Target

In our mid-year report, the “Hotels, Motels and Cruiselines” subgroup of Consumer Goods dominated the chatter around point-of-sale breaches, and not much has changed in the two months since that report. In fact, nearly 42% of all the point-of-sale CyberFacts collected by SurfWatch Labs so far this year have fallen into that group.

2016-08-22_POS_Groups
More than 60% of SurfWatch Labs’ point-of-sale related CyberFacts collected this year fall into either the Hotels, Motels and Cruiselines or Restaurants and Bars groups.

The top trending point-of-sale target this month is HEI Hotels & Resorts, which announced a breach involving 20 hotels on August 12. The malware was discovered in June on point-of-sale systems used at restaurants, bars, spas, lobby shops and other facilities, according to Reuters. Twelve Starwood hotels, six Marriott International properties, one Hyatt hotel and one InterContinental hotel were impacted.

If those names sound familiar, it’s because several of them have already made news for data breaches of late, including Hyatt in December 2015 and Starwood in January 2016.

Other data breaches this year involving hotels include Kimpton Hotels, Hard Rock Hotel & Casino Las Vegas, Rosen Hotels & Resorts and the Trump Hotel Collection.

2016-08-22_POS_Groups_ITT

Although the various incidents that have been announced in recent weeks have not been explicitly connected by either researchers or law enforcement, the breach notice from Eddie Bauer did signify that other organizations have been targeted with a similar campaign.

“Unfortunately, malware intrusions like this are all too common in the world that we live in today,” the company wrote. “In fact, we learned that the malware found on our systems was part of a sophisticated attack directed at multiple restaurants, hotels, and retailers, including Eddie Bauer.”

Other experts such as Gartner fraud analyst Avivah Litan have speculated that the breach at Oracle “could explain a lot about the source of some of these retail and merchant point-of-sale hacks that nobody has been able to definitively tie to any one point-of-sale services provider.”

At the moment many questions remain, but if these investigations lead to the discovery of further compromises, expect to see more breach announcements and more payment card information being sold on Dark Web markets in the months to come.

Payment Transactions Face New Data Breaches and Exploits

The last few weeks have not been kind to businesses and customers concerning payment transactions and digital currency. Several point-of-sale systems and digital wallet services have come under fire for data breaches and potential financial theft — not to mention the recent theft of $68 million worth of bitcoin.

The most wide-reaching event may be the breach at software company Oracle Corp, which was reported by Brian Krebs on Monday. A Russian cybercrime group appears to be behind an attack that saw the compromise of hundreds of computers system, including a customer support portal for Oracle’s MICROS point-of-sale credit card payment systems.

This could be a potentially huge breach, as more than 330,000 cash registers around the world utilize Oracle’s MICROS point-of-sale system. In 2014, the company said that about 200,000 food and beverage outlets, 100,000 retail sites, and 30,000 hotels used the software.

It is currently unknown how many organizations were affected by the breach or how long the breach took place. The investigation is ongoing, but potential ties to the Carbanak Gang have raised the level of concern. Oracle did tell Brian Krebs that the company “detected and addressed malicious code in certain legacy MICROS systems,” and that Oracle asked customers to reset their MICROS passwords.

Digital Wallets Face Scrutiny

At last week’s Black Hat conference, a security researcher presented on a flaw in the mobile payment system Samsung Pay. Samsung Pay allows customers to save payment cards on a digital wallet, providing users the option to select the payment card of their choice with the added security of a PIN or fingerprint scan to complete a purchase.

Security expert Salvador Mendoza discovered several problems with Samsung pay, including static passwords used to protect databases, weak obfuscation, and comments in the code. Mendoza also discovered issues with the tokens that are used to complete transactions. Cybercriminals could potentially predict future tokens from studying previous tokens used to make fraudulent transactions.

“Samsung Pay has to work harder on the token’s expiration date to suspend it as quickly as possible after the app generates a new one, or the app may dispose of the tokens which were not implemented to make a purchase,” Mendoza explained. “Also, Samsung Pay needs to avoid using static passwords to ‘encrypt’ its files and databases with the same function because eventually someone will be able to reverse it.”

Samsung responded to Mendoza’s claims by saying “reports implying that Samsung Pay is flawed are simply not true.”

However, in a separate document Samsung did admit that “skimming” a token is possible, although extremely difficult.

“Samsung Pay’s multiple layers of security make it extremely difficult to make a purchase by skimming a token,” the company wrote. “This skimming attack model has been a known issue reviewed by the card networks and Samsung pay and our partners deemed this potential risk acceptable given the extremely low likelihood of a successful token relay attack.”

Samsung Pay isn’t the only digital wallet in the news for potential cybersecurity issues.  Venmo — a digital wallet service that allows users to interact with friends by sending money, making purchases, and sharing payments — made headlines recently for flaws that could potentially lead to malicious purchases.

A flaw in an optional SMS-based feature could allow a criminal to easily steal money from people’s accounts, according to researchers. Because Venmo allows users to charge friends through shared bill pay, that friend has to authorize the charge before payment is made. A hacker with physical access to a Venmo user’s phone could steal money from another user’s account by replying to a notification text message with a provided 6-digit code. A feature in Siri that allows users to reply to text messages from locked devices along with the iOS text message preview feature make this attack possible.

“A hacker could have sent a payment request to a targeted user, and if they had access to the victim’s locked device, they could have used Siri to send the approval code displayed on the screen, ” said Eduard Kovacs of SecurityWeek. “The maximum amount of money an attacker could have stolen from one user was $2,999.99 per week, which is the weekly limit set by the developer.”

Keeping Payments Safe

As we’ve highlighted on this blog and in recent threat intelligence reports, high-profile payment-related breaches aren’t at the forefront of cybercrime in the way they were several years ago. However, recent events prove that these payment systems — traditional point-of-sale systems, digital wallets and digital currencies — can lead to significant direct losses as well as brand damage and other consequences from the negative press generated by discovered vulnerabilities.

As SurfWatch Labs’ Chief Security Strategist Adam Meyer recently wrote, cybersecurity is largely about identifying and removing opportunity for malicious actors to do bad things — either directly or indirectly.  There are clear best practices that can be utilized by both businesses and customers to help protect sensitive payment data. Unfortunately, data is only as safe as the methods used to protect it.

Cybercriminals are constantly coming up with new methods and tricks to crack software and trick people into divulging their sensitive information. Cyber threat intelligence can help organizations remain mindful of the many new and evolving threats, identify their weaknesses, and deploy safeguards to protect data — whether that is payment-related data or other sensitive information.

 

Despite Drop In Frequency, PoS Data Breaches are Still a Threat

In 2014, point-of-sale (PoS) data breaches against mainstream retail stores like Target and the Home Depot were primary talking points in cybersecurity. In 2016, PoS data breaches haven’t garnered as much attention, with threats like ransomware and more sophisticated phishing attacks taking up the mantle of the leading concerns in cybersecurity.

Over the last two years, the amount of chatter around PoS breaches has dropped dramatically.

Point of sale chatter
The chart above shows all PoS-related CyberFacts from June 2014 – May 2016. Outside of a rise in CyberFacts starting in October 2015 the amount of chatter concerning PoS breaches has remained low. 

PoS breaches still occur, but the frequency of attacks, as well as the targets, have changed. In 2014, department stores were impacted the most by PoS data breaches. Since that time, cybercriminals have turned their attention towards hotels, restaurants and bars. In many instances, a hotel had an associated restaurant or bar’s payment system compromised. The payment card breach against Starwood properties is one example of this activity.

POS chatter by group
Cybercriminals have shifted to new targets with regards to PoS breaches. While Department Stores were a top trending target in 2014, since then, cybercriminals have shifted their efforts to breaching PoS systems at Hotels, Motels and Cruiselines. 

New EMV Standards Having an Impact on PoS Cybercrime

Back in October 2015, the United States implemented new EMV standards aimed at protecting against PoS cybercrime. Many big retail stores have adopted the technology, which has helped thwart the amount of payment card cyber-attacks against them.

There have been well-documented problems so far with EMV, from customers not having access to chip-enabled cards to retailers offering customers the option swipe their card rather than force them to use the Chip-and-PIN technology.  Perhaps the biggest problem with the EMV shift is the amount of retail companies that simply do not offer customers payment terminals that accept the new Chip-and-PIN cards.

Despite the problems, EMV has positively impacted PoS cybercrime. However, due to the increased security, cybercriminals are turning their attention to other, more lucrative attack vectors. In 2016, phishing and ransomware attacks have both trended highly.

Latest PoS Data Breaches and Malware

However, cybercriminals haven’t completely turned away from attacking payment terminals. To date, SurfWatch Labs has collected information on 23 industry targets related to PoS data breaches.

In what is probably the most recent of those breaches, security researcher Brian Krebs has reported fraudulent activity involving the Texas-based restaurant chain CiCi’s Pizza. In this event, a cybercriminal posed as a “technical support specialist” for the company’s PoS provider, which allowed access to payment card data. This social engineering technique is one way cybercriminals can circumvent EMV (assuming CiCi’s Pizza utilized these payment terminals).

The old-fashioned malware attack vector is still being utilized as well to conduct attacks on PoS systems. New variants are still being created and continue to evolve. Some of the latest PoS malware families to make headlines include:

  • TreasureHunt PoS
  • AbaddonPOS
  • Multigrain
  • FighterPOS
  • FastPOS

With EMV implementation taking place at new retail locations daily, the amount of PoS-related data breaches is bound to decrease. Protecting customers at the point of physical payment is paramount to retail operations, but organizations can do more. Social engineering and phishing attempts are among the biggest threats facing organizations today, and Chip-and-PIN won’t protect against this threat. Deploying physical security features like firewalls is obviously important, but educating employees about phishing and social engineering tactics is arguably just as important a cybersecurity strategy.