Attacks/Breaches

12/12/2014
05:45 PM
50%
50%

Attackers Turn Focus To PoS Vendors

The recently reported attack on Charge Anywhere puts the payment solutions provider on a list of PoS vendors attacked this year.

This week, the payment gateway solution provider Charge Anywhere revealed that it had been victimized by a data breach that may have compromised data going as far back as 2009.

Charge Anywhere provides payment gateway services, cloud point-of-sale (PoS) solutions, mobile PoS, and other technologies aimed at banks, enterprises, and payment processors. The attack stands as another example of hackers targeting payment card data by going after PoS vendors, as opposed to just merchants.

In September, the PoS system vendor Signature Systems acknowledged it was the source of a breach in which an attacker gained access to a username and password the company used to access PoS systems remotely; the attacker used that name and password to install data-stealing malware. In June, Information Systems & Supplies announced that it had been breached, and that customer data had been exposed.

"I would expect attacks like this to become more frequent and more widespread for the reason that seems to be underreported on this breach -- the substantial increase in mobile payments due to ease of use, and the ability to accept payments quickly, especially to smaller businesses," says CounterTack vice president of security strategy Tom Bain. "Users expect and have a blind trust in applications that support their business -- and just expect that security measures are taken to protect them. In just a six-month span this year, mobile malware attacks have increased [by six times] globally."

According to Charge Anywhere, an investigation began when the company was asked to look into fraudulent charges that appeared on cards that had been used legitimately at certain merchants. The investigation revealed that an attacker gained access to the network and installed malware that was then used to create the ability to capture segments of outbound network traffic. Though most of the outbound traffic was encrypted, "the format and method of connection for certain outbound messages enabled the unauthorized person to capture and ultimately then gain access to plain text payment card transaction authorization requests," the company says on its website.

The malware was discovered Sept. 22.

"During the exhaustive investigation, only files containing the segments of captured network traffic from August 17, 2014 through September 24, 2014 were identified," according to the company. "Although we only found evidence of actual network traffic capture for this short time frame, the unauthorized person had the ability to capture network traffic as early as November 5, 2009."

Chris Messer, vice president of technology at the private cloud and managed IT services provider Coretelligent, argues that the outbound encryption element of this story and the technical details that are not being shared raise flags. The Charge Anywhere breach reinforces the need for all organizations that entrust their data to outside parties to perform due diligence to ensure those third parties are adhering to industry standard best practices and reference architecture designs.

"The statement by Charge Anywhere in and of itself is rather contradictory, likely indicating that they were not leveraging full end-to-end encryption for all data during transmission, and there were clearly technical shortcomings to their architecture that the attackers were able to exploit in order to sniff/collect their raw data traffic containing this transactional data," he says. "It is also possible that their production network was not properly segmented, allowing an insecure workstation to directly access their production network where transactional data was being processed/transmitted."

Lancope CTO TK Keanini says he expects aggregation points in other sectors to be at higher risk, as well.

"I do expect to see more of this because of two factors. Everyone is growing more and more connected -- customers, partners, firms -- and in this mesh, the attacker can pick any entry point, no matter where they want to ultimately target. The second factor is, with this hyperconnectivity, attackers can go after targets that aggregate information instead of having to compromise individual systems," he says. "Why go after 1,000 targets when those 1,000 targets all aggregate at a single point of compromise? This pattern is not new. It is just the smart way to go about doing the work."

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
12/14/2014 | 11:51:04 PM
Encryption
On the one hand, maybe they deserve a teensy bit of a pass (in the court of public opinion -- though not in actual courts of law) because the breaches appear to go back five years, but in this day and age, there's really no excuse for failing to use end-to-end encryption.
Cybersecurity's 'Broken' Hiring Process
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/11/2017
Ransomware Grabs Headlines but BEC May Be a Bigger Threat
Marc Wilczek, Digital Strategist & CIO Advisor,  10/12/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Search Cybersecuruty and you will get unicorn.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.