Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/10/2015
01:00 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Point-of-Sale Device Manufacturer Investigating Card Breach At Soup Franchise

Are remote administration exploits or new malware strains to blame for the compromise of NEXTEP devices at Zoup! soup shops?

Point-of-sale system manufacturer NEXTEP is investigating a possible data breach, after law enforcement notified them about a pattern of fraudulent use of credit cards used recently at several franchise locations of one of NEXTEP's biggest customers -- Zoup!, a soup shop chain in the Northern U.S. and Canada. 

Details are still sketchy. NEXTEP confirmed to Brian Krebs of KrebsOnSecurity that it had found a security issue in its PoS devices, but the nature of that issue has not yet been revealed. No PoS malware have been mentioned. However, NEXTEP has also said that the problem does not affect all of its customers, so it could relate to the implementation of NEXTEP systems at different companies. 

Over the summer, the attack de rigeur was breaching PoS systems by exploiting companies' remote administration tools and uploading malware like Backoff that exflitrated magnetic stripe data residing on PoS devices. It's possible that this latest incident is similar, but no evidence to that effect has been released yet. Some things can be inferred, though. 

"The NEXTEP Systems breach affected more than one location, which indicates this breach occurred over the network versus at the hands of employees," says Paul Martini, CEO of iboss Cybersecurity. Martini says that this problem can get worse.

"As more advanced protocols that go beyond web-based http protocols continue to be used more and more, the security systems in place will have to learn to secure them," says Martini. "For now, most security platforms focus only on HTTP web protocols. They are either blind to the fact that the protocols being used to exfiltrate data and infect systems are non-http, or are simply ignoring it because they cannot handle non-web http data. The cybersecurity platforms of the future will deal with sensing and containing communication over non-standard protocols. Until this happens, hacks like this will continue to occur on a daily basis.”

George Rice, senior director of payments for HP Security Voltage says that restaurants, in particular, are more at risk than other kinds of brick-and-mortar companies that use point-of-sale systems. 

"Legacy point-of-sale systems for the restaurant industry may use non-encrypting integrated magstripe readers for card acceptance," says Rice. "In addition, newer technologies, like pay-at-the-table and mobile payment terminals must safely capture and transmit payment card data, often via WiFi or cellular networks for authorization."

[Why are magstripe readers and mobile payment systems potential problems? See "7 Things You Should Know About Secure Payment Technology."]

"Frequently, restaurant franchisees are often given the flexibility of managing their own POS systems," says Rice, "which makes brand-wide payment security a big challenge."

This poses a major problem for brands, because regulating bodies and the Federal Trade Commission may assign liability for breaches to the brand, not the franchisee, anyway, as they ruled in a case against the Wyndham Worldwide hotel corporation. Dark Reading discussed this in a story about the breach that hit 395 of Dairy Queen's franchise locations in August. 

"Breaches like this will continue until two key processes change," says Rice. "First, restaurants need to implement [point-to-point encryption] so that payment information is encrypted at the time of capture and can be safely stored until the transaction is sent to a secure decryption environment.  Equally important, transaction approval responses should be in the form of a token instead of original card values so that the business operator may safely store the payment information for future use.”

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BogdanShumei
100%
0%
BogdanShumei,
User Rank: Apprentice
3/13/2015 | 12:30:22 PM
System Break
Well, such system brakes are frequent nowadays but with constand development companies like b2bsoft.com are creating more secure environment
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...