Endpoint

1/2/2018
01:00 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Forever 21 Found Malware and Encryption Disabled on its PoS Devices

The retailer found signs of unauthorized access and malware installed on point-of-sale devices during an investigation into last year's data breach.

Forever 21's investigation into a data breach first reported in November 2017 has revealed malware planted on the retailer's point-of-sale systems (PoS) as well as encryption disabled on some of the devices.

The retailer, which had been using encryption on its payment system since 2015, received a report in mid-October indicating unauthorized access to payment card data at certain stores.

Following an investigation with payment technology and security firms, Forever 21 said in an update posted late last week that encryption technology on some point-of-sale (PoS) devices was not always on, and that it had found signs of unauthorized network access and malware installed on PoS devices to search for payment card data.

The malware searched for track data from payment cards as they were processed through the PoS system. In most cases this data was limited to card number, expiration date, and internal verification code. Occasionally, the cardholder name was also found.

Encryption had been disabled and malware installed on some devices at varying times in US stores from April 3, 2017 through November 18, 2017. Some locations only experienced a breach for a few days or weeks; others were hit for most or all of the timeframe. In most cases, only one or a few of PoS devices were affected at each outlet.

Forever 21 stores also each have a device to keep track of completed payment card transaction authorizations. Payment card data was stored in these devices while encryption was off. Investigators found malware installed on log devices in certain stores. At these locations, if encryption was disabled on a PoS device prior to April 3, 2017 and data was still recorded on the log file, the malware could have discovered the unencrypted data.

The company reports it's working with payment processors, its PoS device provider, and third-party experts to address encryption on PoS devices at all of its retail outlets. It's also investigating whether this incident affected stores outside the US, which use different payment systems. Payment cards used on Forever21.com were not affected.

Retail is a hot target for cybercriminals who know they can make decent money swiping credit card numbers and selling them on the Dark Web. Bigger targets with millions of customers are the hardest hit, says Mark Cline, vice president at Netsurion. Indeed, Whole Foods and Nissan Canada are two more examples of massive retailers with large customer bases and recently reported security breaches.

"If retail businesses haven't hardened their IT and POS security, they should start now to protect themselves from PoS malware, ransomware, and other threats," he says. They may be running anti-virus software and managed firewalls, but they may or may not be running a strong offense with active monitoring and threat detection."

Forever 21 urges customers to review card statements for unauthorized activity and report unauthorized activity to their card issuer.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
1/4/2018 | 12:28:02 PM
Re: PoS exploited
Not similiar.  Target POS systems were secure and the servers were secure BUT for a few seconds, data in transit from POS to SERVER ws not encrypted at all.  The theft involved just sitting in their cars and collecting the unsecure data transit.  
shyguygav
50%
50%
shyguygav,
User Rank: Apprentice
1/3/2018 | 10:22:02 AM
PoS exploited
Eerily similar to the target breach of 2013
Want Your Daughter to Succeed in Cyber? Call Her John
John De Santis, CEO, HyTrust,  5/16/2018
Don't Roll the Dice When Prioritizing Vulnerability Fixes
Ericka Chickowski, Contributing Writer, Dark Reading,  5/15/2018
New Mexico Man Sentenced on DDoS, Gun Charges
Dark Reading Staff 5/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Typin' in my password. Somebody's shoulder surfin'. Woooh!
Current Issue
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11329
PUBLISHED: 2018-05-22
The DrugDealer function of a smart contract implementation for Ether Cartel, an Ethereum game, allows attackers to take over the contract's ownership, aka ceoAnyone. After that, all the digital assets (including Ether balance and tokens) might be manipulated by the attackers, as exploited in the wil...
CVE-2018-11363
PUBLISHED: 2018-05-22
jpeg_size in pdfgen.c in PDFGen before 2018-04-09 has a heap-based buffer over-read.
CVE-2018-11364
PUBLISHED: 2018-05-22
sav_parse_machine_integer_info_record in spss/readstat_sav_read.c in libreadstat.a in ReadStat 0.1.1 has a memory leak related to an iconv_open call.
CVE-2018-11365
PUBLISHED: 2018-05-22
sas/readstat_sas7bcat_read.c in libreadstat.a in ReadStat 0.1.1 has an infinite loop.
CVE-2018-11339
PUBLISHED: 2018-05-22
An XSS issue was discovered in Frappe ERPNext v11.x.x-develop b1036e5 via a comment.