Endpoint

1/2/2018
01:00 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Forever 21 Found Malware and Encryption Disabled on its PoS Devices

The retailer found signs of unauthorized access and malware installed on point-of-sale devices during an investigation into last year's data breach.

Forever 21's investigation into a data breach first reported in November 2017 has revealed malware planted on the retailer's point-of-sale systems (PoS) as well as encryption disabled on some of the devices.

The retailer, which had been using encryption on its payment system since 2015, received a report in mid-October indicating unauthorized access to payment card data at certain stores.

Following an investigation with payment technology and security firms, Forever 21 said in an update posted late last week that encryption technology on some point-of-sale (PoS) devices was not always on, and that it had found signs of unauthorized network access and malware installed on PoS devices to search for payment card data.

The malware searched for track data from payment cards as they were processed through the PoS system. In most cases this data was limited to card number, expiration date, and internal verification code. Occasionally, the cardholder name was also found.

Encryption had been disabled and malware installed on some devices at varying times in US stores from April 3, 2017 through November 18, 2017. Some locations only experienced a breach for a few days or weeks; others were hit for most or all of the timeframe. In most cases, only one or a few of PoS devices were affected at each outlet.

Forever 21 stores also each have a device to keep track of completed payment card transaction authorizations. Payment card data was stored in these devices while encryption was off. Investigators found malware installed on log devices in certain stores. At these locations, if encryption was disabled on a PoS device prior to April 3, 2017 and data was still recorded on the log file, the malware could have discovered the unencrypted data.

The company reports it's working with payment processors, its PoS device provider, and third-party experts to address encryption on PoS devices at all of its retail outlets. It's also investigating whether this incident affected stores outside the US, which use different payment systems. Payment cards used on Forever21.com were not affected.

Retail is a hot target for cybercriminals who know they can make decent money swiping credit card numbers and selling them on the Dark Web. Bigger targets with millions of customers are the hardest hit, says Mark Cline, vice president at Netsurion. Indeed, Whole Foods and Nissan Canada are two more examples of massive retailers with large customer bases and recently reported security breaches.

"If retail businesses haven't hardened their IT and POS security, they should start now to protect themselves from PoS malware, ransomware, and other threats," he says. They may be running anti-virus software and managed firewalls, but they may or may not be running a strong offense with active monitoring and threat detection."

Forever 21 urges customers to review card statements for unauthorized activity and report unauthorized activity to their card issuer.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
1/4/2018 | 12:28:02 PM
Re: PoS exploited
Not similiar.  Target POS systems were secure and the servers were secure BUT for a few seconds, data in transit from POS to SERVER ws not encrypted at all.  The theft involved just sitting in their cars and collecting the unsecure data transit.  
shyguygav
50%
50%
shyguygav,
User Rank: Apprentice
1/3/2018 | 10:22:02 AM
PoS exploited
Eerily similar to the target breach of 2013
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-10739
PUBLISHED: 2019-01-21
In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possib...
CVE-2019-6499
PUBLISHED: 2019-01-21
Teradata Viewpoint before 14.0 and 16.20.00.02-b80 contains a hardcoded password of TDv1i2e3w4 for the viewpoint database account (in viewpoint-portal\conf\server.xml) that could potentially be exploited by malicious users to compromise the affected system.
CVE-2019-6500
PUBLISHED: 2019-01-21
In Axway File Transfer Direct 2.7.1, an unauthenticated Directory Traversal vulnerability can be exploited by issuing a specially crafted HTTP GET request with %2e instead of '.' characters, as demonstrated by an initial /h2hdocumentation//%2e%2e/ substring.
CVE-2019-6498
PUBLISHED: 2019-01-21
GattLib 0.2 has a stack-based buffer over-read in gattlib_connect in dbus/gattlib.c because strncpy is misused.
CVE-2019-6497
PUBLISHED: 2019-01-20
Hotels_Server through 2018-11-05 has SQL Injection via the controller/fetchpwd.php username parameter.