Attacks/Breaches
8/21/2014
11:40 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

51 UPS Stores' Point-of-Sale Systems Breached

Customers will not receive individual breach notifications.

UPDATED Aug. 22: United Parcel Service (UPS) confirmed Wednesday that point-of-sale systems at 51 of its 4,470 franchise stores were breached, resulting in the theft of credit card data involved in approximately 105,000 transactions. "Each franchised center location is individually owned and runs independent private networks that are not connected to other franchised center locations," according to UPS, in a statement.

Although UPS knows the number of transactions, it does not have all the information about the cardholders, and therefore will not be issuing individual breach notifications. Customers can check UPS.com for a list of affected stores.

July 31 the company investigated its networks after the Secret Service and Department of Homeland Security issued a report about threats in remote access software. This investigation led to the discovery that the systems were infected with Backoff, a malware family that goes after PoS systems and has made life difficult for many retailers. They believe the malware infection may have begun on January 20 -- but not until March 26 in most stores -- and was fully eradicated by August 11.

U.S. CERT released a new advisory about Backoff that follows up on a detailed advisory they released July 31.

“This type of malware has been successfully used in some of the biggest retail credit card breaches the security industry has seen, says Ken Westin, security analyst for Tripwire. "This family of point-of-sale malware goes as far back as October 2013; it relies on scraping unencrypted credit card data from the memory of infected devices, much like previously seen malware. The malware itself is sophisticated, but the method of intrusion is not. Attackers use publicly available scanning tools to detect point-of-sale systems running remote desktop applications; then they rely on application vulnerabilities or brute forcing to gain access to systems where they installing the malware.”

The UPS breach is simply the newest in a string of big retail breaches like those at Target and P.F. Chang's.

"How many more point-of-sale breaches need to occur industry-wide before consumers rise up and start demanding proactive protection surrounding their personal information prior to the purchasing of goods and services from a company?" says Kyle Kennedy, CTO of STEALTHbits Technologies. "Is it time for a third-party service provider focused solely on financial transactions and securing the consumer’s personal information the answer for the consumer and the retailer? Or is the risk of personal information potentially being breached so accepted by consumers that change isn’t possible?"

"As UPS basically admits that the attackers were in their systems, undetected for 4 to 8 months," says Aviv Raff, CTO and chief researcher of Seculert, "it shows the necessity of enterprises to start using security tools that are able to detect attacks not just in real time... but more importantly, over time" by analyzing historical and ongoing traffic logs.

The information that may have been exposed includes names, postal addresses, email addresses, and payment card information. Thus far UPS Store has no evidence of fraud arising from the incident, but it is offering credit monitoring and identity protection services to customers who might have been affected.

 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
8/25/2014 | 11:21:38 PM
Re: POS security?
It is getting there, but it will take time for retailers to catch up.  Until the Target breach many retailers viewed their POS systems as unaffected by malware.  Now they have to play catchup, which will take several years.
RoyKelly2
50%
50%
RoyKelly2,
User Rank: Apprentice
8/21/2014 | 8:34:01 PM
Re: POS security?
Excellent point!  Just as in any network, each device and application needs some form of security, even if it is encrypting the data being transmitted.  anyone with even the least bit of security training was taught this, but are retailers aware?  I think not.  It is up to us who work in the security field to train them.
vnewman2
100%
0%
vnewman2,
User Rank: Strategist
8/21/2014 | 7:16:58 PM
Re: POS can be made hack proof
Wow.  Just wow. I don't think people are shocked to hear about data breaches - it's the price we pay for doing business the way we do. But, undetected for 8 months. Egad.

But kudos for them for being - let's say - "somewhat" proactive when they received the government bulletin and having an audit done.   Too bad the victims won't know they are victims until their own information get used against them!
MarkSitkowski
100%
0%
MarkSitkowski,
User Rank: Moderator
8/21/2014 | 6:53:55 PM
POS can be made hack proof
The trick to this, which few US retailers appear to have grasped, is to not have anything worth stealing on their systems. As long as there are card numbers and PIN's, hackers will find it rewarding to steal them. Although this article specifically refers to this week's other Great Breach, Supervalu, it is relevant to all POS systems. Take a look at Finextra article 'The Flaw in POS terminal security. Solved'
securityaffairs
100%
0%
securityaffairs,
User Rank: Ninja
8/21/2014 | 1:27:08 PM
Re: Resonsibility and Repercussions
It's time to change the approach to cyber security, retailers most of all are seriously exposed to the risk of hack.

Anyway it will be interesting if the threat actor behind the attack is the same of the popular data breaches suffered by Target and other retailers.

Another element of interest is the real dimension of this data breach, how many customers were involved. 
Stratustician
100%
0%
Stratustician,
User Rank: Moderator
8/21/2014 | 1:00:47 PM
POS security?
I have to be the first to ask, do any of these retailers ever stop to think that POS systems require their own security outside perimeter devices (Firewalls, IDS/IPS) which are protecting the overall network?  These sytems, while they might be limited in their overall functionality, are one of the most critical endpoints and need to be secured.  How many more of these breaches are required before POS systems become part of the overall security policy?
PaulH835
100%
0%
PaulH835,
User Rank: Apprentice
8/21/2014 | 12:58:34 PM
Resonsibility and Repercussions
When a company has an IT security breech the company replutation can be humilated, its stock impacted, and of course it can suffer business loss. But there does not seem to be any legal liability. If a public company errors in its financial reporting we now hold its significant officiers legally responsibile. That has created immense focus on many areas of security left neglected in the past. It seems we may need similar incentives to motivate focus on protecting customer personal information at any point it comes into contact with a company's systems. 
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7830
Published: 2014-11-24
Cross-site scripting (XSS) vulnerability in mod/feedback/mapcourse.php in the Feedback module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allows remote authenticated users to inject arbitrary web script or HTML by leveraging the mod/feedback:mapcourse cap...

CVE-2014-7831
Published: 2014-11-24
lib/classes/grades_external.php in Moodle 2.7.x before 2.7.3 does not consider the moodle/grade:viewhidden capability before displaying hidden grades, which allows remote authenticated users to obtain sensitive information by leveraging the student role to access the get_grades web service.

CVE-2014-7832
Published: 2014-11-24
mod/lti/launch.php in the LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 performs access control at the course level rather than at the activity level, which allows remote authenticated users to bypass the mod/lti:view capability requirement by vi...

CVE-2014-7833
Published: 2014-11-24
mod/data/edit.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 sets a certain group ID to zero upon a database-entry change, which allows remote authenticated users to obtain sensitive information by accessing the database after an edit by a teacher.

CVE-2014-7834
Published: 2014-11-24
mod/forum/externallib.php in Moodle 2.6.x before 2.6.6 and 2.7.x before 2.7.3 does not verify group permissions, which allows remote authenticated users to access a forum via the forum_get_discussions web service.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?