Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/10/2015
01:00 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Point-of-Sale Device Manufacturer Investigating Card Breach At Soup Franchise

Are remote administration exploits or new malware strains to blame for the compromise of NEXTEP devices at Zoup! soup shops?

Point-of-sale system manufacturer NEXTEP is investigating a possible data breach, after law enforcement notified them about a pattern of fraudulent use of credit cards used recently at several franchise locations of one of NEXTEP's biggest customers -- Zoup!, a soup shop chain in the Northern U.S. and Canada. 

Details are still sketchy. NEXTEP confirmed to Brian Krebs of KrebsOnSecurity that it had found a security issue in its PoS devices, but the nature of that issue has not yet been revealed. No PoS malware have been mentioned. However, NEXTEP has also said that the problem does not affect all of its customers, so it could relate to the implementation of NEXTEP systems at different companies. 

Over the summer, the attack de rigeur was breaching PoS systems by exploiting companies' remote administration tools and uploading malware like Backoff that exflitrated magnetic stripe data residing on PoS devices. It's possible that this latest incident is similar, but no evidence to that effect has been released yet. Some things can be inferred, though. 

"The NEXTEP Systems breach affected more than one location, which indicates this breach occurred over the network versus at the hands of employees," says Paul Martini, CEO of iboss Cybersecurity. Martini says that this problem can get worse.

"As more advanced protocols that go beyond web-based http protocols continue to be used more and more, the security systems in place will have to learn to secure them," says Martini. "For now, most security platforms focus only on HTTP web protocols. They are either blind to the fact that the protocols being used to exfiltrate data and infect systems are non-http, or are simply ignoring it because they cannot handle non-web http data. The cybersecurity platforms of the future will deal with sensing and containing communication over non-standard protocols. Until this happens, hacks like this will continue to occur on a daily basis.”

George Rice, senior director of payments for HP Security Voltage says that restaurants, in particular, are more at risk than other kinds of brick-and-mortar companies that use point-of-sale systems. 

"Legacy point-of-sale systems for the restaurant industry may use non-encrypting integrated magstripe readers for card acceptance," says Rice. "In addition, newer technologies, like pay-at-the-table and mobile payment terminals must safely capture and transmit payment card data, often via WiFi or cellular networks for authorization."

[Why are magstripe readers and mobile payment systems potential problems? See "7 Things You Should Know About Secure Payment Technology."]

"Frequently, restaurant franchisees are often given the flexibility of managing their own POS systems," says Rice, "which makes brand-wide payment security a big challenge."

This poses a major problem for brands, because regulating bodies and the Federal Trade Commission may assign liability for breaches to the brand, not the franchisee, anyway, as they ruled in a case against the Wyndham Worldwide hotel corporation. Dark Reading discussed this in a story about the breach that hit 395 of Dairy Queen's franchise locations in August. 

"Breaches like this will continue until two key processes change," says Rice. "First, restaurants need to implement [point-to-point encryption] so that payment information is encrypted at the time of capture and can be safely stored until the transaction is sent to a secure decryption environment.  Equally important, transaction approval responses should be in the form of a token instead of original card values so that the business operator may safely store the payment information for future use.”

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BogdanShumei
100%
0%
BogdanShumei,
User Rank: Apprentice
3/13/2015 | 12:30:22 PM
System Break
Well, such system brakes are frequent nowadays but with constand development companies like b2bsoft.com are creating more secure environment
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/3/2020
Data Loss Spikes Under COVID-19 Lockdowns
Seth Rosenblatt, Contributing Writer,  5/28/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-10548
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated devices.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
CVE-2020-10549
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated snippets.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
CVE-2020-10546
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated compliancepolicies.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
CVE-2020-10547
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated compliancepolicyelements.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
CVE-2020-11094
PUBLISHED: 2020-06-04
The October CMS debugbar plugin before version 3.1.0 contains a feature where it will log all requests (and all information pertaining to each request including session data) whenever it is enabled. This presents a problem if the plugin is ever enabled on a system that is open to untrusted users as ...