Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

11/25/2015
12:15 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Hilton Data Breach Focuses Attention On Growing POS Malware Threat

Analysts expect an increase in POS attacks against retailers and others during this holiday shopping season.

News this week about a data breach at Hilton Worldwide has focused attention on what many security researchers say is an uptick in the use of point-of-sale (POS) system malware to steal payment card data from retailers and other organizations.

Hilton on Tuesday confirmed that unknown attackers had broken into some of its POS systems and stolen names, card numbers, expiration dates and security codes belonging to an unspecified number of credit and debit cardholders. But personal identification numbers (PINs) or addresses were not compromised, the company said.

[PoS malware, ways to trick new payment technology, and zero tolerance for down-time or slow-time make for a stressful combination. Read "Black Friday Security: Brick-and-Mortar Retailers Have Cyber Threats, Too."]

Hilton’s statement suggests that hackers had access to its POS systems for a total of at least 17 weeks spanning two different time periods, the first between Nov. 18 and Dec. 5, 2014 and the second between April 21 and July 27, 2015.

Hilton did not say whether this meant it suffered two separate incursions or whether the same hackers who had accessed its POS systems in 2014 accessed them again this year. As has become standard in such situations, the company has offered one year of free credit monitoring services to customers impacted by the breach.

Hilton is the second hotel chain to announce a breach in the past several days. Just last week, Starwood Hotels -- the owner of brands like Sheraton, Westin, and W Hotels -- disclosed that hackers had breached POS systems at over two dozen of its properties.

Like Hilton, Starwood did not disclose the number of people affected by the breach but confirmed that sensitive cardholder data had been compromised. In Starwood’s case, the relevant POS systems appear to have been attacked separately over a time span starting November 2014 and continuing through the end of June 2015.

The PoS malware responsible for the attacks on Hilton and Starwood have not been named. No indications have been given yet that the stealthy ModPOS, detailed by iSIGHT Partners this week, was to blame.

The breaches are just the beginning of what security analysts predict will be a spate of attacks on vulnerable POS systems this holiday season. “Point of sale (POS) systems – what consumers often call the checkout system - are often the weak link in the chain,” for retailers and businesses in the hospitality industry said Mark Bower, global director of product management for HPE Security following the recent attack on Starwood.

“A checkout terminal in constant use is usually less frequently patched and updated, and is thus vulnerable to all manner of malware compromising the system to gain access to cardholder data,” said Bower.

The holiday shopping rush creates the perfect opportunity for attackers to target POS systems, compliance services provider Trustwave said in a recent report. According to the company, some 40 percent of breaches in 2014 were POS-related, with almost all of them resulting from remote access vulnerabilities and weak passwords. Attackers targeted POS systems using at least 70 individual POS malware tools. Input validation errors stemming from SQL injection flaws and unpatched vulnerabilities caused 75 percent of the breaches that Trustwave reviewed.

Such issues could pose even bigger concerns this year, say some security vendors.  For one thing, retailers are still only working to meet PCI 3.0 compliance requirements, says Chris Strand, senior director of compliance, Bit9+Carbon Black.

This is also the first holiday shopping season after the EMV liability shift went into effect, which means that in the event of payment card fraud, whichever party -- merchant or card issuer -- has failed to implement EMV Chip-and-PIN technology is the one stuck with liability for the fraud. Thus, EMV will now be in greater use, and many consumers will have an entirely new purchasing experience this season.

The fact that the end of life for Windows XP embedded is coming up in January adds to the problem, says Strand, referring to the fact that many POS systems still continue to run the operating system.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/29/2015 | 11:54:48 AM
Re: POS
I think we should skip EMV and jump to Apple or Google pay directly. It is more secure and convenient.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/29/2015 | 11:52:05 AM
Dumb POS
Maybe we need to make POS as dumb as possible, so there is a less opportunity to be vulnerability to attacks.

 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
11/28/2015 | 11:58:33 PM
Re: POS
@Ryan: Well, that's the whole problem.  That education *shouldn't* fall to the merchants; it should fall to the credit card companies compelling the switch.

But good luck with that.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
11/28/2015 | 11:57:15 PM
Re: POS Exploitation
@Ryan: My feeling is that that's by design -- that many large enterprises have determined the risk worth it compared to the cost.  (Reminds me of how the TJX CIO, prior to their major breach some years back, sent out a memo explicitly saying that it made more budgetary sense to hold off on PCI-DSS compliance -- and outright daring anyone to stand up to him.)
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
11/28/2015 | 9:59:00 PM
Re: POS
We've all seen the futzing first hand...If merchants don't find a more efficient education process than EMV could lose popularity.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
11/28/2015 | 9:18:55 PM
POS Exploitation
It seems that many companies don't take the data threat seriously until they are burnt, especially when it comes to POS...

With the trend of data breaches involving POS, it is irresponsible to handle business as status quo.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
11/27/2015 | 11:46:34 PM
POS
The funny thing is that now that EMV cards have been introduced and more stores are taking them, there is a lot of futzing about at points of sale as cashiers attempt to educate consumers on how to insert their new chip card into the new system.

This could make it easier for a bad guy to insert a skimmer into a POS device (and yes, even EMV is vulnerable to skimming and MitM attacks).
<<   <   Page 2 / 2
Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-33624
PUBLISHED: 2021-06-23
In kernel/bpf/verifier.c in the Linux kernel before 5.12.13, a branch can be mispredicted (e.g., because of type confusion) and consequently an unprivileged BPF program can read arbitrary memory locations via a side-channel attack, aka CID-9183671af6db.
CVE-2021-3526
PUBLISHED: 2021-06-23
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2011-1177
PUBLISHED: 2021-06-23
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2011-1942
PUBLISHED: 2021-06-23
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2011-1955
PUBLISHED: 2021-06-23
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.