Tag Archives: POS

VISA SAYS: Ongoing Cyber Attacks at Gas Pumps

Visa published an alert that says that point of sale (PoS) system of North American Fuel Dispenser Merchants (as in gas stations and the folks that make the systems that allow you to “pay at the pump”) are being targeted in credit card skimming attacks.

The attack is ongoing, increasing and coordinated – by cybercrime groups.

The Visa fraud disruption unit alert described several attacks.  While stores were supposed to installed chip readers by 2015 (if they don’t they get to pay for any fraud linked to their lack of chip card readers) but gas stations got an extension and are just now installing chip readers in pumps (they were supposed to do it by October 2019, but now they have until October 2020).

One of the benefits of chip readers is that the card information is encrypted at the pump and not decrypted until it arrives at the gas station’s bank.  Since most pumps still have not been upgraded, the data does not get encrypted until it leaves the gas station, if at all.

This means that if the hacker can get malware installed in the gas station they can likely read the credit cards.

Here is the part that affects all businesses:

Individual gas stations are independent from the brands, for the most part, and many are completely independent.  That makes them small businesses that don’t have an IT department.

The attacks usually start by infecting the computer in the office – someone is bored and surfs the web.  They visit a sketchy web site and click on an infection link.

Because gas station owners are not IT or security experts, everything is on the same network – as is often the case in many (most?) small to medium sized businesses.

What businesses need to do is SEGMENT their networks – separate different parts of their business from each other – the WiFi should be separate from the credit card system from the smart TV, from the gas pumps, etc.

Doing that makes it MUCH harder for hackers in any business to get to where they want.  In the Target breach, the hackers compromised a server used by vendors to get projects and submit invoices, but that server, because of a lack of segmentation, could talk to the credit card system.

It takes a little work to design a correctly segmented network that will limit the damage that hackers can do while still letting your employees do what they need to do, but recovering from an attack takes a lot more work than preventing one.

On a separate note, if you are concerned about your credit card getting compromised at a gas pump, you can a couple of things to improve your odds:

  • Use a pump closest to the store – it is the least likely to have a skimmer attached.  That won’t help if the hacker installs malware on the station’s network though
  • Patronize gas stations that have upgraded their pumps (those are the ones that tell you to leave your card in the reader until they ask you to remove it)
  • Pay inside – sometimes but not always – that computer gets upgraded before the pumps get upgraded.  Watch how they process your card – if they swipe it, it hasn’t been upgraded.  If they insert it and wait, it has been
  • Last option, if you have to, pay cash

Gas stations are frequent targets because crooks can get to the pump at 3:00 in the morning when no one is there and they have really poor cybersecurity, except, MAYBE, for stations that are owned by the oil companies themselves.  Apparently, according to Visa, that is becoming a real problem, but it is a great opportunity for other businesses to get ahead of the attacks.

Source: Bleeping Computer


The Point of Sale (POS) Breaches Continue

So far this week (and it is only Monday), we have two POS breaches in the news.

HEI Hotels and Resorts, which manages almost 60 hotels for Starwood, Hilton, Marriott and other chains announced that 20 of their locations, covering all of their brands, had suffered breaches.

While they have not said how many cards may have been compromised, they have said that the data that was compromised included name, account number, expiration date and verification code.

HEI said that they thought that the data was accessed in real time because they do not store the data.  They also said that they were unable to contact people who’s cards were likely breached since they do not collect or maintain enough information to do this.  This raises some important points.

These statements would seem to indicate that they outsource the processing of payments.  If so, that points to the fact that even if you outsource credit card processing, you are still the one who has to face the music in case of a breach.

It also indicates that they are likely not using chip based credit card readers because if they were, the data would not exist in an unencrypted state except inside the card reader itself, which does not appear to be where the breach occurred.  One more time where a chip based solution might have stopped a breach in its tracks.

The breach lasted a long time – from March 2015 to June 2016 – about 15 months.  It is not clear why the malware was not detected for so long.

In the second breach of the week, Oracle acknowledged a breach affecting their Micros POS software.

Apparently, the breach is large enough that VISA issued an alert to merchants, which they usually don’t do.

Visa said that hackers broke in to hundreds of servers at Oracle and had “completely compromised” Oracle’s support portal.

Micros, according to Oracle, is installed at over 300,000 locations, including 200,000 food and beverage locations, 100,000 retail locations and 30,000 hotels.

With millions of cards used at these locations per week, this could be a major breach.

Oracle is being very tight lipped about this breach – whether that is because they do not understand the scope of the breach and don’t want to make incorrect statements or because Larry Ellison knows he is about to be hit with multiple lawsuits, is unclear.

Oracle told customers to change their passwords and to change any passwords used by Oracle staff to access their systems and not much else.  That would suggest that hackers, in hacking the Oracle servers, got credentials that would allow them to access their customers’ systems.

Some of Oracle’s customers are saying that by not sharing information, Oracle is making it harder for them to clean up Oracle’s mess – all fodder for the inevitable lawsuits.

Brian is also saying that it is possible that Oracle was breached by more than one Eastern European (read this as Russian) crime group or at least more than one is dividing the spoils.  If in fact, there are 300,000 plus locations hacked and people will eventually change passwords, the hackers have to work fast in order to install other back doors and extract data.

It appears that the customer network and Oracle’s internal network were on the same network segment, but that network was split.  Somehow, sources say, that facilitated the breach.  They do not say how.

And here is the killer.

In mid July, Oracle told employees in the hospitality division that they had to wipe their computers WITHOUT BACKING ANYTHING UP.  The computers were then reimaged with a clean operating system.

This means that employees lost implementation plans and schedules and software that was going to be deployed.  The source said that this has cost Oracle billions of dollars – however that seems like a lot of money.  Still, I am sure that did cost Oracle a bunch.

Oracle did not tell employees that the reason that they had to wipe their computers was because the company had been breached.

I am sure that more details will emerge, even if Oracle does not want them to.

What this does point out is that companies need to have an active and aggressive vendor risk management program.  In both of these cases, the problem stemmed from vendors.  The restaurants, bars, hotels and retail stores were counting on their vendors to protect them.  While it is possible that there are clauses in the customer’s contracts with Oracle in which Oracle agrees to indemnify and reimburse the stores and restaurants for all costs associated with the breach, but knowing Oracle, it probably says that they aren’t responsible for anything.  We shall see how this turns out in court – but that is years from now.

In both of these examples, these businesses are going to have very unhappy customers and not because they did something wrong, but rather because one of their vendors did something wrong.

Vendor risk management programs are effective at reducing risk associated with outsourcing.  If you don’t have a program, you should create one now.  If you do have one, you should review it for completeness.

Information on the HEI Hotels breach came from CSO Online.

Information on the Oracle breach came from Krebs on Security.

Starwood Hotels Is Latest Business To Be Breached

Credit card breaches are old news.  Well, sort of.  It seems like every day there is a new one, but we have gotten used to them.  If you are a slight geek, you have your bank send you a text or email every single time your card is used.  The first time that it is used and it is not you, you call the bank, they cancel the card and send you a new one.

Debit cards are more of a pain in the rear, especially if they have your PIN, so if you had a PIN based debit card compromised you MUST move quickly.  You do not have 60 days after you get your statement – you have like 2 days as I recall – which is why I STRONGLY recommend that people do not use their debit card as a PIN based debit card except at your bank.  Almost all banks will issue a Visa or Mastercard logoed debit card which you can use as a credit card.  While the money still comes out of your bank account instantly, it is processed as a credit card and the credit card protection rules apply.  Even though the credit card terminal in the store will try very hard to get you to use that card as a debit card (because it is cheaper for them), resist the temptation – DO NOT DO IT!

Anyway, back to the breach of the day.

Today it is Starwood Hotels – owner of Westin, Sheraton, W and many other brands.

The breach affected about 50 properties (list is in their announcement which is linked below). Some hotels were affected between March and April of this year.  Others between March and May and still others between November of last year and April of this year.

As seems to be usual, the breach only affects restaurants, gift shops and other (likely outsourced) systems.  It did not affect the front desk system.

I assume that Starwood outsources the restaurants and gift shops and those companies likely outsource their point of sale systems.  The different date ranges could mean that there is more than one outsourcer affected and that we may see other notices soon.  This is all speculation as Starwood has not said very much other than that protecting your information is a top priority.

Given that they apparently were not able to protect their top priority …………

As I have said before, if you watch your card and bank charges religiously, this is not a big issue for you.  It is, however, a big issue for Starwood and their likely outsourced restaurants and gift shops and they will spend millions and sue and be sued for the next several years.

Assuming these departments are outsourced, it is one more example of how supply chain security is a huge problem for businesses that they are not paying enough attention to it.

This comes just days after Marriott purchased Starwood.  I certainly hope they disclosed this!

My two cents.


Information for this post came from Starwood and Dark Reading.

Next Credit Card Attack Target – Service Providers To Stores

As companies like Target and Home Depot begin to clean up their credit card protecting acts, the cyber thieves are moving on to a different class of victim.

This week, Service Systems Associates acknowledged that they had been hacked and as a result, some of their clients systems were compromised.

How this works is this:

Let’s say a small business, in this case a Zoo gift shop, wants a snazzy point of sale system to keep track of inventory and collect sales data and such.  They consider the cost to support such a system, which is not insignificant, and they decide this is a great thing to outsource.

They go to a company like Service Systems Associates.  Among other services like running your zoo cafeteria, SSA will manage that POS system for you – like adding new items, updating the software and such.  For this, they charge a monthly fee.  Of course, SSA doesn’t want to have to send someone out to your zoo to do this work, so they access it remotely.

The problem is that no one at the zoo is a security expert – except maybe when it comes to keeping the tigers in their enclosures – so they didn’t ask “how, exactly, do you secure this remote connection?”  Likely, they use one of the many commercial or open source remote control software packages and protect it with a userid and password.  Many vendors use the same userid and password for all of their customers – that makes life easy for them and those connections are open 24/7.

While SSA is not handing out many details other than the period when their customer’s customers were vulnerable (March 23 to June 25), what likely happened is that one of their people got hacked, maybe by a phishing attack.  That person stored the password to SSA’s customer systems insecurely.   Alternatively, once that person got phished, the attacker installed a keystroke logger and captured the userid and password that way.

What does appear to be true is that SSA did not do what would be a reasonable practice – and which customers should insist on – and that is to use two factor authentication.  That way, if the password got compromised, the attacker could not log in to their customer’s systems.

While two factor authentication is not bullet proof, it certainly is significantly more bullet resistant than a userid and password.

From a hacker’s standpoint, going after vendors like SSA is way more lucrative than going after any one zoo and probably about as difficult.

Just one more reason why you need to include cyber due diligence as part of your vendor selection process.

Krebs lists the zoos that were likely affected in his article, but they are all over the country  from San Francisco to Baltimore.


Information for this post came from Krebs On Security.

Significant number of major businesses hit by Backoff malware

After my last post, a  new article came out about the Backoff malware.  The article, quoting the US Department of Homeland Security, said that over a thousand small, medium and enterprise U.S. businesses have been compromised by the Backoff malware package.

Backoff is fairly new – first seen last year – and scrapes the memory of POS systems.  7 POS vendors have confirmed that they have multiple clients affected.  The Secret Service is involved.  It is believed that this malware is responsible for the breaches at Target, SuperValu and UPS.

The attackers break into the POS systems using a variety of techniques and then install the malware on the system.  Once the malware is installed, every transaction on the system from that point forward will be compromised.

MItch Tanenbaum