Attacks/Breaches
8/21/2014
11:40 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

51 UPS Stores' Point-of-Sale Systems Breached

Customers will not receive individual breach notifications.

UPDATED Aug. 22: United Parcel Service (UPS) confirmed Wednesday that point-of-sale systems at 51 of its 4,470 franchise stores were breached, resulting in the theft of credit card data involved in approximately 105,000 transactions. "Each franchised center location is individually owned and runs independent private networks that are not connected to other franchised center locations," according to UPS, in a statement.

Although UPS knows the number of transactions, it does not have all the information about the cardholders, and therefore will not be issuing individual breach notifications. Customers can check UPS.com for a list of affected stores.

July 31 the company investigated its networks after the Secret Service and Department of Homeland Security issued a report about threats in remote access software. This investigation led to the discovery that the systems were infected with Backoff, a malware family that goes after PoS systems and has made life difficult for many retailers. They believe the malware infection may have begun on January 20 -- but not until March 26 in most stores -- and was fully eradicated by August 11.

U.S. CERT released a new advisory about Backoff that follows up on a detailed advisory they released July 31.

“This type of malware has been successfully used in some of the biggest retail credit card breaches the security industry has seen, says Ken Westin, security analyst for Tripwire. "This family of point-of-sale malware goes as far back as October 2013; it relies on scraping unencrypted credit card data from the memory of infected devices, much like previously seen malware. The malware itself is sophisticated, but the method of intrusion is not. Attackers use publicly available scanning tools to detect point-of-sale systems running remote desktop applications; then they rely on application vulnerabilities or brute forcing to gain access to systems where they installing the malware.”

The UPS breach is simply the newest in a string of big retail breaches like those at Target and P.F. Chang's.

"How many more point-of-sale breaches need to occur industry-wide before consumers rise up and start demanding proactive protection surrounding their personal information prior to the purchasing of goods and services from a company?" says Kyle Kennedy, CTO of STEALTHbits Technologies. "Is it time for a third-party service provider focused solely on financial transactions and securing the consumer’s personal information the answer for the consumer and the retailer? Or is the risk of personal information potentially being breached so accepted by consumers that change isn’t possible?"

"As UPS basically admits that the attackers were in their systems, undetected for 4 to 8 months," says Aviv Raff, CTO and chief researcher of Seculert, "it shows the necessity of enterprises to start using security tools that are able to detect attacks not just in real time... but more importantly, over time" by analyzing historical and ongoing traffic logs.

The information that may have been exposed includes names, postal addresses, email addresses, and payment card information. Thus far UPS Store has no evidence of fraud arising from the incident, but it is offering credit monitoring and identity protection services to customers who might have been affected.

 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
8/25/2014 | 11:21:38 PM
Re: POS security?
It is getting there, but it will take time for retailers to catch up.  Until the Target breach many retailers viewed their POS systems as unaffected by malware.  Now they have to play catchup, which will take several years.
RoyKelly2
50%
50%
RoyKelly2,
User Rank: Apprentice
8/21/2014 | 8:34:01 PM
Re: POS security?
Excellent point!  Just as in any network, each device and application needs some form of security, even if it is encrypting the data being transmitted.  anyone with even the least bit of security training was taught this, but are retailers aware?  I think not.  It is up to us who work in the security field to train them.
vnewman2
100%
0%
vnewman2,
User Rank: Apprentice
8/21/2014 | 7:16:58 PM
Re: POS can be made hack proof
Wow.  Just wow. I don't think people are shocked to hear about data breaches - it's the price we pay for doing business the way we do. But, undetected for 8 months. Egad.

But kudos for them for being - let's say - "somewhat" proactive when they received the government bulletin and having an audit done.   Too bad the victims won't know they are victims until their own information get used against them!
MarkSitkowski
100%
0%
MarkSitkowski,
User Rank: Moderator
8/21/2014 | 6:53:55 PM
POS can be made hack proof
The trick to this, which few US retailers appear to have grasped, is to not have anything worth stealing on their systems. As long as there are card numbers and PIN's, hackers will find it rewarding to steal them. Although this article specifically refers to this week's other Great Breach, Supervalu, it is relevant to all POS systems. Take a look at Finextra article 'The Flaw in POS terminal security. Solved'
securityaffairs
100%
0%
securityaffairs,
User Rank: Ninja
8/21/2014 | 1:27:08 PM
Re: Resonsibility and Repercussions
It's time to change the approach to cyber security, retailers most of all are seriously exposed to the risk of hack.

Anyway it will be interesting if the threat actor behind the attack is the same of the popular data breaches suffered by Target and other retailers.

Another element of interest is the real dimension of this data breach, how many customers were involved. 
Stratustician
100%
0%
Stratustician,
User Rank: Moderator
8/21/2014 | 1:00:47 PM
POS security?
I have to be the first to ask, do any of these retailers ever stop to think that POS systems require their own security outside perimeter devices (Firewalls, IDS/IPS) which are protecting the overall network?  These sytems, while they might be limited in their overall functionality, are one of the most critical endpoints and need to be secured.  How many more of these breaches are required before POS systems become part of the overall security policy?
PaulH835
100%
0%
PaulH835,
User Rank: Apprentice
8/21/2014 | 12:58:34 PM
Resonsibility and Repercussions
When a company has an IT security breech the company replutation can be humilated, its stock impacted, and of course it can suffer business loss. But there does not seem to be any legal liability. If a public company errors in its financial reporting we now hold its significant officiers legally responsibile. That has created immense focus on many areas of security left neglected in the past. It seems we may need similar incentives to motivate focus on protecting customer personal information at any point it comes into contact with a company's systems. 
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3409
Published: 2014-10-25
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

CVE-2014-4620
Published: 2014-10-25
The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 through 90, when EMC RecoverPoint and Plink are used, stores cleartext RecoverPoint Appliance credentials in nsrmedisv.raw log files, which allows local users to obtain sensitive information by reading these files.

CVE-2014-4623
Published: 2014-10-25
EMC Avamar 6.0.x, 6.1.x, and 7.0.x in Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE), when Password Hardening before 2.0.0.4 is enabled, uses UNIX DES crypt for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force a...

CVE-2014-4624
Published: 2014-10-25
EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x through 7.0.2-43 do not require authentication for Java API calls, which allows remote attackers to discover grid MCUser and GSAN passwords via a crafted call.

CVE-2014-6151
Published: 2014-10-25
CRLF injection vulnerability in IBM Tivoli Integrated Portal (TIP) 2.2.x allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.