Point-of-sale system manufacturer NEXTEP is investigating a possible data breach, after law enforcement notified them about a pattern of fraudulent use of credit cards used recently at several franchise locations of one of NEXTEP's biggest customers -- Zoup!, a soup shop chain in the Northern U.S. and Canada.
Details are still sketchy. NEXTEP confirmed to Brian Krebs of KrebsOnSecurity that it had found a security issue in its PoS devices, but the nature of that issue has not yet been revealed. No PoS malware have been mentioned. However, NEXTEP has also said that the problem does not affect all of its customers, so it could relate to the implementation of NEXTEP systems at different companies.
Over the summer, the attack de rigeur was breaching PoS systems by exploiting companies' remote administration tools and uploading malware like Backoff that exflitrated magnetic stripe data residing on PoS devices. It's possible that this latest incident is similar, but no evidence to that effect has been released yet. Some things can be inferred, though.
"The NEXTEP Systems breach affected more than one location, which indicates this breach occurred over the network versus at the hands of employees," says Paul Martini, CEO of iboss Cybersecurity. Martini says that this problem can get worse.
"As more advanced protocols that go beyond web-based http protocols continue to be used more and more, the security systems in place will have to learn to secure them," says Martini. "For now, most security platforms focus only on HTTP web protocols. They are either blind to the fact that the protocols being used to exfiltrate data and infect systems are non-http, or are simply ignoring it because they cannot handle non-web http data. The cybersecurity platforms of the future will deal with sensing and containing communication over non-standard protocols. Until this happens, hacks like this will continue to occur on a daily basis.”
George Rice, senior director of payments for HP Security Voltage says that restaurants, in particular, are more at risk than other kinds of brick-and-mortar companies that use point-of-sale systems.
"Legacy point-of-sale systems for the restaurant industry may use non-encrypting integrated magstripe readers for card acceptance," says Rice. "In addition, newer technologies, like pay-at-the-table and mobile payment terminals must safely capture and transmit payment card data, often via WiFi or cellular networks for authorization."
[Why are magstripe readers and mobile payment systems potential problems? See "7 Things You Should Know About Secure Payment Technology."]
"Frequently, restaurant franchisees are often given the flexibility of managing their own POS systems," says Rice, "which makes brand-wide payment security a big challenge."
This poses a major problem for brands, because regulating bodies and the Federal Trade Commission may assign liability for breaches to the brand, not the franchisee, anyway, as they ruled in a case against the Wyndham Worldwide hotel corporation. Dark Reading discussed this in a story about the breach that hit 395 of Dairy Queen's franchise locations in August.
"Breaches like this will continue until two key processes change," says Rice. "First, restaurants need to implement [point-to-point encryption] so that payment information is encrypted at the time of capture and can be safely stored until the transaction is sent to a secure decryption environment. Equally important, transaction approval responses should be in the form of a token instead of original card values so that the business operator may safely store the payment information for future use.”