Attacks/Breaches

12/12/2014
05:45 PM
50%
50%

Attackers Turn Focus To PoS Vendors

The recently reported attack on Charge Anywhere puts the payment solutions provider on a list of PoS vendors attacked this year.

This week, the payment gateway solution provider Charge Anywhere revealed that it had been victimized by a data breach that may have compromised data going as far back as 2009.

Charge Anywhere provides payment gateway services, cloud point-of-sale (PoS) solutions, mobile PoS, and other technologies aimed at banks, enterprises, and payment processors. The attack stands as another example of hackers targeting payment card data by going after PoS vendors, as opposed to just merchants.

In September, the PoS system vendor Signature Systems acknowledged it was the source of a breach in which an attacker gained access to a username and password the company used to access PoS systems remotely; the attacker used that name and password to install data-stealing malware. In June, Information Systems & Supplies announced that it had been breached, and that customer data had been exposed.

"I would expect attacks like this to become more frequent and more widespread for the reason that seems to be underreported on this breach -- the substantial increase in mobile payments due to ease of use, and the ability to accept payments quickly, especially to smaller businesses," says CounterTack vice president of security strategy Tom Bain. "Users expect and have a blind trust in applications that support their business -- and just expect that security measures are taken to protect them. In just a six-month span this year, mobile malware attacks have increased [by six times] globally."

According to Charge Anywhere, an investigation began when the company was asked to look into fraudulent charges that appeared on cards that had been used legitimately at certain merchants. The investigation revealed that an attacker gained access to the network and installed malware that was then used to create the ability to capture segments of outbound network traffic. Though most of the outbound traffic was encrypted, "the format and method of connection for certain outbound messages enabled the unauthorized person to capture and ultimately then gain access to plain text payment card transaction authorization requests," the company says on its website.

The malware was discovered Sept. 22.

"During the exhaustive investigation, only files containing the segments of captured network traffic from August 17, 2014 through September 24, 2014 were identified," according to the company. "Although we only found evidence of actual network traffic capture for this short time frame, the unauthorized person had the ability to capture network traffic as early as November 5, 2009."

Chris Messer, vice president of technology at the private cloud and managed IT services provider Coretelligent, argues that the outbound encryption element of this story and the technical details that are not being shared raise flags. The Charge Anywhere breach reinforces the need for all organizations that entrust their data to outside parties to perform due diligence to ensure those third parties are adhering to industry standard best practices and reference architecture designs.

"The statement by Charge Anywhere in and of itself is rather contradictory, likely indicating that they were not leveraging full end-to-end encryption for all data during transmission, and there were clearly technical shortcomings to their architecture that the attackers were able to exploit in order to sniff/collect their raw data traffic containing this transactional data," he says. "It is also possible that their production network was not properly segmented, allowing an insecure workstation to directly access their production network where transactional data was being processed/transmitted."

Lancope CTO TK Keanini says he expects aggregation points in other sectors to be at higher risk, as well.

"I do expect to see more of this because of two factors. Everyone is growing more and more connected -- customers, partners, firms -- and in this mesh, the attacker can pick any entry point, no matter where they want to ultimately target. The second factor is, with this hyperconnectivity, attackers can go after targets that aggregate information instead of having to compromise individual systems," he says. "Why go after 1,000 targets when those 1,000 targets all aggregate at a single point of compromise? This pattern is not new. It is just the smart way to go about doing the work."

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
12/14/2014 | 11:51:04 PM
Encryption
On the one hand, maybe they deserve a teensy bit of a pass (in the court of public opinion -- though not in actual courts of law) because the breaches appear to go back five years, but in this day and age, there's really no excuse for failing to use end-to-end encryption.
Want Your Daughter to Succeed in Cyber? Call Her John
John De Santis, CEO, HyTrust,  5/16/2018
Don't Roll the Dice When Prioritizing Vulnerability Fixes
Ericka Chickowski, Contributing Writer, Dark Reading,  5/15/2018
Why Enterprises Can't Ignore Third-Party IoT-Related Risks
Charlie Miller, Senior Vice President, The Santa Fe Group,  5/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Security through obscurity"
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11232
PUBLISHED: 2018-05-18
The etm_setup_aux function in drivers/hwtracing/coresight/coresight-etm-perf.c in the Linux kernel before 4.10.2 allows attackers to cause a denial of service (panic) because a parameter is incorrectly used as a local variable.
CVE-2017-15855
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, the camera application triggers "user-memory-access" issue as the Camera CPP module Linux driver directly accesses the application provided buffer, which resides in u...
CVE-2018-3567
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, a buffer overflow vulnerability exists in WLAN while processing the HTT_T2H_MSG_TYPE_PEER_MAP or HTT_T2H_MSG_TYPE_PEER_UNMAP messages.
CVE-2018-3568
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, in __wlan_hdd_cfg80211_vendor_scan(), a buffer overwrite can potentially occur.
CVE-2018-5827
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, a buffer overflow vulnerability exists in WLAN while processing an extscan hotlist event.