Retail systems vendor Verifone is investigating a breach of its internal networks that may have affected customers running its point-of-sale (PoS) terminals.
Verifone is the second largest credit and debit card terminal manufacturer in the world, and it sells PoS terminals and services to a variety of businesses, including retailers, taxi companies and petrol stations.
The company initially commented that the breach was limited to its corporate network, but following a contrary claim by security blogger Brian Krebs, Verifone released a follow-up statement that confirmed that the breach affected “approximately two dozen” petrol stations over “a short period of time”.
The full extent of the breach was first reported by Krebs, who cited a source that claimed the intrusion impacted at least one corner of Verifone’s business – a customer support unit based in Clearwater, Florida, that provides comprehensive payment solutions to petrol stations throughout the US. It includes pay-at-the-pump card processing, physical cash registers inside the petrol station, customer loyalty programmes and remote technical support.
Krebs’s source said his employer “shared with [Visa and MasterCard] evidence that a Russian hacking group known for targeting payment providers and hospitality firms had compromised at least a portion of Verifone’s internal network”.
Visa and MasterCard were reportedly notified that the intruders had been inside Verifone’s network since mid-2016.
Penetrating payment terminals
Avivah Litan, a financial fraud and endpoint solutions analyst for Gartner Inc., told Krebs that the attackers in the Verifone breach were probably after anything that would allow them to access customer payment terminals – either PoS designs, the source code or signing keys.
“Also,” Litan said, “the company says it believes it stopped the breach in time, and that usually means they don’t know if they did.”
Identify vulnerabilities with PCI compliance
Vulnerabilities in payment card terminals can mean breaches can spread quickly, because all customers that use the organisation’s PoS systems may be affected. It is therefore essential for organisations to regularly test their systems and ensure that their defence capabilities are sufficient.
Regular testing of systems is a requirement of the PCI DSS (Payment Card Industry Data Security Standard), it is an essential component of ISO 27001, and it is a fact of life for any organisation that transmits, processes or stores payment card data.
IT Governance offers fixed-price or bespoke CREST-accredited PCI penetration tests to help organisations comply with the requirements of the PCI DSS and to better prepare for attacks against their information assets.
Find out more about PCI Compliance Penetration Testing >>