Tag Archive for POS

| July 9, 2015
One comment

Data Breach Is No Monkey Business

ReData Breach Is No Monkey Businessports are emerging that zoo’s across the nation have fallen victim to a POS attack and data breach. MLive warns anyone who made a purchase with a credit card at gift shops at the Detroit Zoo between March 23 and June 25, 2015, might be in danger of having the credit card information stolen. The Detroit Zoo posted a notice which claims that the only systems hacked were those run by Denver-based Service Systems Associates, the third-party responsible for running the systems at the Detroit Zoo’s retail stands.

Detroit ZooSSA posted a notice on their site confirming a breach but no other details. Officials are investigating data breaches of the point-of-sale systems at nine or more U.S. zoos, including the Detroit Zoo. MLive reports that hackers gained access to card holders’ names, expiration dates, CVV security codes in addition to the credit and debit card numbers.

Sources claim the malware has been since identified and removed from the systems, though the case remains under investigation. In response, A separate credit card processing system was installed after the Zoo learned of the breach. Gerry VanAcker, Detroit Zoological Society chief operating officer, said in a release:

We are obviously concerned that the vendor’s system was compromised,” s “Transactions made since June 26 are not affected by the previous breach, and it is safe to use a credit or debit card at SSA’s retail locations.

Data thiefKrebs on Security reports that the attack is widespread. Mr. Krebs cites financial industry sources that say the breach likely involves SSA concession and gift shops at zoo locations in Alabama, Arizona, California, Florida, Hawaii, Idaho, Indiana, Minnesota, Ohio, Oklahoma. Pennsylvania, South Caroline, Texas, and Tennessee.

Systems used at the Detroit Zoo for tickets food sales and membership sales were not affected by the breach and remain secure. Anyone who made a purchase via credit or debit card at a Zoo gift shop should check their bank statements immediately.

Those who expect that their identity has been stolen are asked to contact one of the consumer reporting agencies and place a fraud alert on their credit report.

rb-

Why don’t these POS companies give a damn? I have covered POS data breaches a number of times from the Bach Seat. POS breaches have been the largest source of data disclosure for at least 3 years. Of course, we know the answer, follow the money.

FPOS systemirms like SSA have no accountability. There are no costs or fines or even a demerit on their permanent record when they get breached. It is less costly for companies like SSA to allow a breach to happen than it is to update their systems and stop the attackers.

Maybe that will change in the future. Beginning in October 2015 firms like SSA that have not yet installed card readers which accept more secure chip-based cards will assume responsibility for the cost of fraud from counterfeit cards.  – maybe.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , ,
| March 19, 2015
Comments Off on ZOUP! POS Breached

ZOUP! POS Breached

ZOUP! POS BreachedAnother day, another data breach. Zoup! the restaurant known for its soup, salad, and sandwiches is the latest retailer to have it POS system hacked. The hack exposed credit card information hacked according to MLive. From a statement posted on the Zoup! website Zoup! CEO Eric Ersher told their customers victims – too bad so sad, “… in the days ahead, we will work hard to preserve your trust.

ZOUP! Apparently re-gaining my trust does not include telling me my information was stolen, or the usual credit monitoring or credit restoration services, according to MLive Southfield, MI-based Zoup! will not be contacting customers who were affected by the cyber-attack.

The stonewall goes beyond Zoup!’s customers. When contacted by security researcher Brian Krebs, for comment CEO Ersher referred calls to NEXTEP, who runs all of Zoup!s point-of-sale devices. Troy, MI-based NEXTEP President Tommy Woycik emailed Mr. Krebs a statement, which says in part, “NEXTEP was recently notified by law enforcement that the security of the systems at some of our customer locations may have been compromised.

The MLive article reports that Zoup! learned March 4 of a payment card security issue that affected most of its U.S. locations. Between Feb. 2 and March 5, the malware installed on the point-of-sale system was tracking credit card numbers, and possibly PII data such as the cardholders’ name, card expiration date, and verification code.

POS vendors have a notorious track record for data security. One breach can impact 100’s of locations. The 2014 breach at the POS vendor Signature Systems Inc. affected Jimmy John sandwich shops and at least 100 other restaurants. The 2015 breach at Advanced Restaurant Management Applications (ARMA) affected many of its client restaurants. And now Nextep has impact up to 75 Zoup! locations and possibly 100,000’s of customers.

What does this do?CEO Ersher stated in a statement in a statement, “… we moved as swiftly as possible to address the problem once we learned about it … ” Oh really? if they had read Bach Seat last year when I wrote about POS hacks or paid attention to US-CERT or warnings they would have been prepared.

The company set up a website for customers with concerns or call Zoup! at 800-343-9308, Monday – Friday, 8 a.m. – 5 p.m. ET.

rb-

I think that Zoup! should cool the attitude and review the info I posted in 2014 on how to avoid POS System breaches.

1.  Change administrative passwords on all POS systems. (Hackers are scanning the Internet for easily guessable passwords).

2.  Implement a firewall or access control list on remote access /administration services. (If hackers can’t reach your systems, they can’t easily steal from it).

3.  Avoid using POS systems to browse the web (or anything else on the Internet).

4.  Make sure your POS is a PCI DSS compliant application (ask your vendor)

5.  Use password management software like LastPass to generate secure passwords. (LastPass allows you to avoid storing passwords in your browsers and can generate ready-to-use secure passwords for you).

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , ,
| August 5, 2014
Comments Off on Remote Desktop Opens Door to POS Malware

Remote Desktop Opens Door to POS Malware

Remote Desktop Opens Door to POS MalwareThe U.S. Department of Homeland Security (DHS) has issued a warning to retailers. DHS reports that cybercriminals are using remote desktop software to open up retailers’ networks to point-of-sale malware attacks. Point of Sale (POS) systems have been at the heart of many of the recent data breaches. Retailers impacted include Target, Jimmy John’sP.F. Chang’s, Neiman Marcus, Michaels, Sally Beauty Supply, and Goodwill Industries International the New York Times reported.

Research conducted by the DHS, the Secret Service, the National Cybersecurity and Communications Integration Center, and security firm Trustwave SpiderLab. have following the attacks. During the attacks, Cybercriminals are scanning corporate systems for remote desktop software. The attackers are looking for Microsoft (MSFT) Remote DesktopApple (AAPL) Remote Desktop, Google (GOOG) Chrome Remote Desktop, Splashtop, Pulseway, and LogMeIn’s join.me.

Install malware

After finding an exposed system, attackers launch brute force attacks on the login feature. FireceIT Security reports that once the attackers gain network access, they deploy Backoff POS malware.  steal customer payment data and hide the theft using encryption.  An alert was issued by US-CERT on 07-31-2014 that explained how the malware gets installed.

At the time of discovery and analysis, the [Backoff] malware variants had low to zero percent anti-virus detection rates, which means that fully updated anti-virus engines on fully patched computers could not identify the malware as malicious

malwareUS-CERT has informed anti-virus vendors of the threat from Backoff malware and they will be updating their software to detect and block the malware. The malware can scrape memory for track data, log keystrokes, engage in command and control communication, and inject a malicious stub into explorer.exe that ensures “persistence in the event the malicious executable crashes or is forcefully stopped.”

The article concludes, “The impact of a compromised POS system can affect both the businesses and consumer by exposing customer data such as names, mailing addresses, credit/debit card numbers, phone numbers, and e-mail addresses to criminal elements. These breaches can impact a business’ brand and reputation, while consumers’ information can be used to make fraudulent purchases or risk compromise of bank accounts.

rb-

Lesson learned?If mega-firms like Target can be breached, what chance do small mom-and-pop POS firms in schools, food trucks, kiosks at the airport stand? I say not much. I have worked with several POS vendors and it seems they barely understand their own product, let alone SSL certs, VPNs.

Here are some tips from Verizon’s 2012 research into security breaches affecting companies that use POS systems to process customer payments. Make sure your POS vendor does the following:

1.  Change administrative passwords on all POS systems. (Hackers are scanning the Internet for easily guessable passwords).

2.  Implement a firewall or access control list on remote access /administration services. (If hackers can’t reach your systems, they can’t easily steal from it).

3.  Avoid using POS systems to browse the web (or anything else on the Internet).

4.  Make sure your POS is a PCI DSS compliant application (ask your vendor)

5.  Use password management software like LastPass to generate secure passwords. (LastPass allows you to avoid storing passwords in your browsers and can generate ready-to-use secure passwords for you).

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , ,