Attacks/Breaches
12/12/2014
05:45 PM
50%
50%

Attackers Turn Focus To PoS Vendors

The recently reported attack on Charge Anywhere puts the payment solutions provider on a list of PoS vendors attacked this year.

This week, the payment gateway solution provider Charge Anywhere revealed that it had been victimized by a data breach that may have compromised data going as far back as 2009.

Charge Anywhere provides payment gateway services, cloud point-of-sale (PoS) solutions, mobile PoS, and other technologies aimed at banks, enterprises, and payment processors. The attack stands as another example of hackers targeting payment card data by going after PoS vendors, as opposed to just merchants.

In September, the PoS system vendor Signature Systems acknowledged it was the source of a breach in which an attacker gained access to a username and password the company used to access PoS systems remotely; the attacker used that name and password to install data-stealing malware. In June, Information Systems & Supplies announced that it had been breached, and that customer data had been exposed.

"I would expect attacks like this to become more frequent and more widespread for the reason that seems to be underreported on this breach -- the substantial increase in mobile payments due to ease of use, and the ability to accept payments quickly, especially to smaller businesses," says CounterTack vice president of security strategy Tom Bain. "Users expect and have a blind trust in applications that support their business -- and just expect that security measures are taken to protect them. In just a six-month span this year, mobile malware attacks have increased [by six times] globally."

According to Charge Anywhere, an investigation began when the company was asked to look into fraudulent charges that appeared on cards that had been used legitimately at certain merchants. The investigation revealed that an attacker gained access to the network and installed malware that was then used to create the ability to capture segments of outbound network traffic. Though most of the outbound traffic was encrypted, "the format and method of connection for certain outbound messages enabled the unauthorized person to capture and ultimately then gain access to plain text payment card transaction authorization requests," the company says on its website.

The malware was discovered Sept. 22.

"During the exhaustive investigation, only files containing the segments of captured network traffic from August 17, 2014 through September 24, 2014 were identified," according to the company. "Although we only found evidence of actual network traffic capture for this short time frame, the unauthorized person had the ability to capture network traffic as early as November 5, 2009."

Chris Messer, vice president of technology at the private cloud and managed IT services provider Coretelligent, argues that the outbound encryption element of this story and the technical details that are not being shared raise flags. The Charge Anywhere breach reinforces the need for all organizations that entrust their data to outside parties to perform due diligence to ensure those third parties are adhering to industry standard best practices and reference architecture designs.

"The statement by Charge Anywhere in and of itself is rather contradictory, likely indicating that they were not leveraging full end-to-end encryption for all data during transmission, and there were clearly technical shortcomings to their architecture that the attackers were able to exploit in order to sniff/collect their raw data traffic containing this transactional data," he says. "It is also possible that their production network was not properly segmented, allowing an insecure workstation to directly access their production network where transactional data was being processed/transmitted."

Lancope CTO TK Keanini says he expects aggregation points in other sectors to be at higher risk, as well.

"I do expect to see more of this because of two factors. Everyone is growing more and more connected -- customers, partners, firms -- and in this mesh, the attacker can pick any entry point, no matter where they want to ultimately target. The second factor is, with this hyperconnectivity, attackers can go after targets that aggregate information instead of having to compromise individual systems," he says. "Why go after 1,000 targets when those 1,000 targets all aggregate at a single point of compromise? This pattern is not new. It is just the smart way to go about doing the work."

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
12/14/2014 | 11:51:04 PM
Encryption
On the one hand, maybe they deserve a teensy bit of a pass (in the court of public opinion -- though not in actual courts of law) because the breaches appear to go back five years, but in this day and age, there's really no excuse for failing to use end-to-end encryption.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Why else would HR ask me if I have a handicap?"
Current Issue
The Changing Face of Identity Management
Mobility and cloud services are altering the concept of user identity. Here are some ways to keep up.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio

The cybersecurity profession struggles to retain women (figures range from 10 to 20 percent). It's particularly worrisome for an industry with a rapidly growing number of vacant positions.

So why does the shortage of women continue to be worse in security than in other IT sectors? How can men in infosec be better allies for women; and how can women be better allies for one another? What is the industry doing to fix the problem -- what's working, and what isn't?

Is this really a problem at all? Are the low numbers simply an indication that women do not want to be in cybersecurity, and is it possible that more women will never want to be in cybersecurity? How many women would we need to see in the industry to declare success?

Join Dark Reading senior editor Sara Peters and guests Angela Knox of Cloudmark, Barrett Sellers of Arbor Networks, Regina Wallace-Jones of Facebook, Steve Christey Coley of MITRE, and Chris Roosenraad of M3AAWG on Wednesday, July 13 at 1 p.m. Eastern Time to discuss all this and more.