Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/21/2014
11:40 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

51 UPS Stores' Point-of-Sale Systems Breached

Customers will not receive individual breach notifications.

UPDATED Aug. 22: United Parcel Service (UPS) confirmed Wednesday that point-of-sale systems at 51 of its 4,470 franchise stores were breached, resulting in the theft of credit card data involved in approximately 105,000 transactions. "Each franchised center location is individually owned and runs independent private networks that are not connected to other franchised center locations," according to UPS, in a statement.

Although UPS knows the number of transactions, it does not have all the information about the cardholders, and therefore will not be issuing individual breach notifications. Customers can check UPS.com for a list of affected stores.

July 31 the company investigated its networks after the Secret Service and Department of Homeland Security issued a report about threats in remote access software. This investigation led to the discovery that the systems were infected with Backoff, a malware family that goes after PoS systems and has made life difficult for many retailers. They believe the malware infection may have begun on January 20 -- but not until March 26 in most stores -- and was fully eradicated by August 11.

U.S. CERT released a new advisory about Backoff that follows up on a detailed advisory they released July 31.

“This type of malware has been successfully used in some of the biggest retail credit card breaches the security industry has seen, says Ken Westin, security analyst for Tripwire. "This family of point-of-sale malware goes as far back as October 2013; it relies on scraping unencrypted credit card data from the memory of infected devices, much like previously seen malware. The malware itself is sophisticated, but the method of intrusion is not. Attackers use publicly available scanning tools to detect point-of-sale systems running remote desktop applications; then they rely on application vulnerabilities or brute forcing to gain access to systems where they installing the malware.”

The UPS breach is simply the newest in a string of big retail breaches like those at Target and P.F. Chang's.

"How many more point-of-sale breaches need to occur industry-wide before consumers rise up and start demanding proactive protection surrounding their personal information prior to the purchasing of goods and services from a company?" says Kyle Kennedy, CTO of STEALTHbits Technologies. "Is it time for a third-party service provider focused solely on financial transactions and securing the consumer’s personal information the answer for the consumer and the retailer? Or is the risk of personal information potentially being breached so accepted by consumers that change isn’t possible?"

"As UPS basically admits that the attackers were in their systems, undetected for 4 to 8 months," says Aviv Raff, CTO and chief researcher of Seculert, "it shows the necessity of enterprises to start using security tools that are able to detect attacks not just in real time... but more importantly, over time" by analyzing historical and ongoing traffic logs.

The information that may have been exposed includes names, postal addresses, email addresses, and payment card information. Thus far UPS Store has no evidence of fraud arising from the incident, but it is offering credit monitoring and identity protection services to customers who might have been affected.

 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
8/25/2014 | 11:21:38 PM
Re: POS security?
It is getting there, but it will take time for retailers to catch up.  Until the Target breach many retailers viewed their POS systems as unaffected by malware.  Now they have to play catchup, which will take several years.
RoyKelly2
50%
50%
RoyKelly2,
User Rank: Apprentice
8/21/2014 | 8:34:01 PM
Re: POS security?
Excellent point!  Just as in any network, each device and application needs some form of security, even if it is encrypting the data being transmitted.  anyone with even the least bit of security training was taught this, but are retailers aware?  I think not.  It is up to us who work in the security field to train them.
vnewman2
100%
0%
vnewman2,
User Rank: Strategist
8/21/2014 | 7:16:58 PM
Re: POS can be made hack proof
Wow.  Just wow. I don't think people are shocked to hear about data breaches - it's the price we pay for doing business the way we do. But, undetected for 8 months. Egad.

But kudos for them for being - let's say - "somewhat" proactive when they received the government bulletin and having an audit done.   Too bad the victims won't know they are victims until their own information get used against them!
MarkSitkowski
100%
0%
MarkSitkowski,
User Rank: Moderator
8/21/2014 | 6:53:55 PM
POS can be made hack proof
The trick to this, which few US retailers appear to have grasped, is to not have anything worth stealing on their systems. As long as there are card numbers and PIN's, hackers will find it rewarding to steal them. Although this article specifically refers to this week's other Great Breach, Supervalu, it is relevant to all POS systems. Take a look at Finextra article 'The Flaw in POS terminal security. Solved'
securityaffairs
100%
0%
securityaffairs,
User Rank: Ninja
8/21/2014 | 1:27:08 PM
Re: Resonsibility and Repercussions
It's time to change the approach to cyber security, retailers most of all are seriously exposed to the risk of hack.

Anyway it will be interesting if the threat actor behind the attack is the same of the popular data breaches suffered by Target and other retailers.

Another element of interest is the real dimension of this data breach, how many customers were involved. 
Stratustician
100%
0%
Stratustician,
User Rank: Moderator
8/21/2014 | 1:00:47 PM
POS security?
I have to be the first to ask, do any of these retailers ever stop to think that POS systems require their own security outside perimeter devices (Firewalls, IDS/IPS) which are protecting the overall network?  These sytems, while they might be limited in their overall functionality, are one of the most critical endpoints and need to be secured.  How many more of these breaches are required before POS systems become part of the overall security policy?
PaulH835
100%
0%
PaulH835,
User Rank: Apprentice
8/21/2014 | 12:58:34 PM
Resonsibility and Repercussions
When a company has an IT security breech the company replutation can be humilated, its stock impacted, and of course it can suffer business loss. But there does not seem to be any legal liability. If a public company errors in its financial reporting we now hold its significant officiers legally responsibile. That has created immense focus on many areas of security left neglected in the past. It seems we may need similar incentives to motivate focus on protecting customer personal information at any point it comes into contact with a company's systems. 
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...