Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/10/2015
01:00 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Point-of-Sale Device Manufacturer Investigating Card Breach At Soup Franchise

Are remote administration exploits or new malware strains to blame for the compromise of NEXTEP devices at Zoup! soup shops?

Point-of-sale system manufacturer NEXTEP is investigating a possible data breach, after law enforcement notified them about a pattern of fraudulent use of credit cards used recently at several franchise locations of one of NEXTEP's biggest customers -- Zoup!, a soup shop chain in the Northern U.S. and Canada. 

Details are still sketchy. NEXTEP confirmed to Brian Krebs of KrebsOnSecurity that it had found a security issue in its PoS devices, but the nature of that issue has not yet been revealed. No PoS malware have been mentioned. However, NEXTEP has also said that the problem does not affect all of its customers, so it could relate to the implementation of NEXTEP systems at different companies. 

Over the summer, the attack de rigeur was breaching PoS systems by exploiting companies' remote administration tools and uploading malware like Backoff that exflitrated magnetic stripe data residing on PoS devices. It's possible that this latest incident is similar, but no evidence to that effect has been released yet. Some things can be inferred, though. 

"The NEXTEP Systems breach affected more than one location, which indicates this breach occurred over the network versus at the hands of employees," says Paul Martini, CEO of iboss Cybersecurity. Martini says that this problem can get worse.

"As more advanced protocols that go beyond web-based http protocols continue to be used more and more, the security systems in place will have to learn to secure them," says Martini. "For now, most security platforms focus only on HTTP web protocols. They are either blind to the fact that the protocols being used to exfiltrate data and infect systems are non-http, or are simply ignoring it because they cannot handle non-web http data. The cybersecurity platforms of the future will deal with sensing and containing communication over non-standard protocols. Until this happens, hacks like this will continue to occur on a daily basis.”

George Rice, senior director of payments for HP Security Voltage says that restaurants, in particular, are more at risk than other kinds of brick-and-mortar companies that use point-of-sale systems. 

"Legacy point-of-sale systems for the restaurant industry may use non-encrypting integrated magstripe readers for card acceptance," says Rice. "In addition, newer technologies, like pay-at-the-table and mobile payment terminals must safely capture and transmit payment card data, often via WiFi or cellular networks for authorization."

[Why are magstripe readers and mobile payment systems potential problems? See "7 Things You Should Know About Secure Payment Technology."]

"Frequently, restaurant franchisees are often given the flexibility of managing their own POS systems," says Rice, "which makes brand-wide payment security a big challenge."

This poses a major problem for brands, because regulating bodies and the Federal Trade Commission may assign liability for breaches to the brand, not the franchisee, anyway, as they ruled in a case against the Wyndham Worldwide hotel corporation. Dark Reading discussed this in a story about the breach that hit 395 of Dairy Queen's franchise locations in August. 

"Breaches like this will continue until two key processes change," says Rice. "First, restaurants need to implement [point-to-point encryption] so that payment information is encrypted at the time of capture and can be safely stored until the transaction is sent to a secure decryption environment.  Equally important, transaction approval responses should be in the form of a token instead of original card values so that the business operator may safely store the payment information for future use.”

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BogdanShumei
100%
0%
BogdanShumei,
User Rank: Apprentice
3/13/2015 | 12:30:22 PM
System Break
Well, such system brakes are frequent nowadays but with constand development companies like b2bsoft.com are creating more secure environment
News
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Edge-DRsplash-10-edge-articles
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
Commentary
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-19924
PUBLISHED: 2021-05-18
In Boostnote 0.12.1, exporting to PDF contains opportunities for XSS attacks.
CVE-2020-20220
PUBLISHED: 2021-05-18
Mikrotik RouterOs prior to stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/bfd process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference).
CVE-2020-20227
PUBLISHED: 2021-05-18
Mikrotik RouterOs stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/diskd process. An authenticated remote attacker can cause a Denial of Service due to invalid memory access.
CVE-2020-20245
PUBLISHED: 2021-05-18
Mikrotik RouterOs stable 6.46.3 suffers from a memory corruption vulnerability in the log process. An authenticated remote attacker can cause a Denial of Service due to improper memory access.
CVE-2020-20246
PUBLISHED: 2021-05-18
Mikrotik RouterOs stable 6.46.3 suffers from a memory corruption vulnerability in the mactel process. An authenticated remote attacker can cause a Denial of Service due to improper memory access.