Attacks/Breaches
8/21/2014
11:40 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

51 UPS Stores' Point-of-Sale Systems Breached

Customers will not receive individual breach notifications.

UPDATED Aug. 22: United Parcel Service (UPS) confirmed Wednesday that point-of-sale systems at 51 of its 4,470 franchise stores were breached, resulting in the theft of credit card data involved in approximately 105,000 transactions. "Each franchised center location is individually owned and runs independent private networks that are not connected to other franchised center locations," according to UPS, in a statement.

Although UPS knows the number of transactions, it does not have all the information about the cardholders, and therefore will not be issuing individual breach notifications. Customers can check UPS.com for a list of affected stores.

July 31 the company investigated its networks after the Secret Service and Department of Homeland Security issued a report about threats in remote access software. This investigation led to the discovery that the systems were infected with Backoff, a malware family that goes after PoS systems and has made life difficult for many retailers. They believe the malware infection may have begun on January 20 -- but not until March 26 in most stores -- and was fully eradicated by August 11.

U.S. CERT released a new advisory about Backoff that follows up on a detailed advisory they released July 31.

“This type of malware has been successfully used in some of the biggest retail credit card breaches the security industry has seen, says Ken Westin, security analyst for Tripwire. "This family of point-of-sale malware goes as far back as October 2013; it relies on scraping unencrypted credit card data from the memory of infected devices, much like previously seen malware. The malware itself is sophisticated, but the method of intrusion is not. Attackers use publicly available scanning tools to detect point-of-sale systems running remote desktop applications; then they rely on application vulnerabilities or brute forcing to gain access to systems where they installing the malware.”

The UPS breach is simply the newest in a string of big retail breaches like those at Target and P.F. Chang's.

"How many more point-of-sale breaches need to occur industry-wide before consumers rise up and start demanding proactive protection surrounding their personal information prior to the purchasing of goods and services from a company?" says Kyle Kennedy, CTO of STEALTHbits Technologies. "Is it time for a third-party service provider focused solely on financial transactions and securing the consumer’s personal information the answer for the consumer and the retailer? Or is the risk of personal information potentially being breached so accepted by consumers that change isn’t possible?"

"As UPS basically admits that the attackers were in their systems, undetected for 4 to 8 months," says Aviv Raff, CTO and chief researcher of Seculert, "it shows the necessity of enterprises to start using security tools that are able to detect attacks not just in real time... but more importantly, over time" by analyzing historical and ongoing traffic logs.

The information that may have been exposed includes names, postal addresses, email addresses, and payment card information. Thus far UPS Store has no evidence of fraud arising from the incident, but it is offering credit monitoring and identity protection services to customers who might have been affected.

 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
8/25/2014 | 11:21:38 PM
Re: POS security?
It is getting there, but it will take time for retailers to catch up.  Until the Target breach many retailers viewed their POS systems as unaffected by malware.  Now they have to play catchup, which will take several years.
RoyKelly2
50%
50%
RoyKelly2,
User Rank: Apprentice
8/21/2014 | 8:34:01 PM
Re: POS security?
Excellent point!  Just as in any network, each device and application needs some form of security, even if it is encrypting the data being transmitted.  anyone with even the least bit of security training was taught this, but are retailers aware?  I think not.  It is up to us who work in the security field to train them.
vnewman2
100%
0%
vnewman2,
User Rank: Strategist
8/21/2014 | 7:16:58 PM
Re: POS can be made hack proof
Wow.  Just wow. I don't think people are shocked to hear about data breaches - it's the price we pay for doing business the way we do. But, undetected for 8 months. Egad.

But kudos for them for being - let's say - "somewhat" proactive when they received the government bulletin and having an audit done.   Too bad the victims won't know they are victims until their own information get used against them!
MarkSitkowski
100%
0%
MarkSitkowski,
User Rank: Moderator
8/21/2014 | 6:53:55 PM
POS can be made hack proof
The trick to this, which few US retailers appear to have grasped, is to not have anything worth stealing on their systems. As long as there are card numbers and PIN's, hackers will find it rewarding to steal them. Although this article specifically refers to this week's other Great Breach, Supervalu, it is relevant to all POS systems. Take a look at Finextra article 'The Flaw in POS terminal security. Solved'
securityaffairs
100%
0%
securityaffairs,
User Rank: Ninja
8/21/2014 | 1:27:08 PM
Re: Resonsibility and Repercussions
It's time to change the approach to cyber security, retailers most of all are seriously exposed to the risk of hack.

Anyway it will be interesting if the threat actor behind the attack is the same of the popular data breaches suffered by Target and other retailers.

Another element of interest is the real dimension of this data breach, how many customers were involved. 
Stratustician
100%
0%
Stratustician,
User Rank: Moderator
8/21/2014 | 1:00:47 PM
POS security?
I have to be the first to ask, do any of these retailers ever stop to think that POS systems require their own security outside perimeter devices (Firewalls, IDS/IPS) which are protecting the overall network?  These sytems, while they might be limited in their overall functionality, are one of the most critical endpoints and need to be secured.  How many more of these breaches are required before POS systems become part of the overall security policy?
PaulH835
100%
0%
PaulH835,
User Rank: Apprentice
8/21/2014 | 12:58:34 PM
Resonsibility and Repercussions
When a company has an IT security breech the company replutation can be humilated, its stock impacted, and of course it can suffer business loss. But there does not seem to be any legal liability. If a public company errors in its financial reporting we now hold its significant officiers legally responsibile. That has created immense focus on many areas of security left neglected in the past. It seems we may need similar incentives to motivate focus on protecting customer personal information at any point it comes into contact with a company's systems. 
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: just wondering...Thanx
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.