News of any breach affecting the internal network at Verifone – the largest payment terminal player in the United States, and the second-largest in the world, operating in 150 countries – is concerning, since attackers could potentially have accessed not only payment card data but also software code and schematics related to the integrity and security of Verifone’s devices and infrastructure.
But Verifone says that digital forensic investigators have found no evidence of any such outcomes.
“According to third-party forensic teams, this cyber attempt was limited to approximately two dozen U.S. gas station convenience stores and occurred over a short time period,” Verifone spokesman Andy Payment tells Information Security Media Group. “No other merchants were targeted and the integrity of our payment networks and Verifone’s payment terminals remained secure and fully operational.”
Verifone offers a range of products for gas stations, including pay-at-the-pump systems with built-in video screens, physical payment terminals located inside stores, as well as remote service and technical support.
News of the breach investigation was first reported by security blogger Brian Krebs, who says that British digital forensics firm Foregenix has been investigating the breach. He also published a Jan. 21 internal memo from Verifone to “all staff and contractors,” which said that as a result of “an IT control matter” the firm would be requiring all employee passwords to be changed within 24 hours, and that end users would no longer be able to “load any additional software” onto their desktop or laptop, unless authorized by the IT service desk.
While that is no smoking gun, it suggests that an end user may have inadvertently installed software on their PC that led to the breach.
MasterCard, Visa Alerted
Verifone declined to comment on how the breach occurred or exactly how it was detected, other than to say that “Verifone’s information security team identified evidence of this very limited cyber intrusion into our corporate network in January 2017, and we proactively notified Visa, MasterCard and other card schemes.”
A MasterCard spokesman says the organization is aware of the breach, but directed all related questions to Verifone. “This is a Verifone event; MasterCard systems were not impacted,” he tells ISMG. He added that any MasterCard users “are not responsible for purchases made with a lost or stolen card” and recommended anyone who suspected that their card had been used fraudulently “contact the bank or credit union that issues their card for assistance and more information.”
Visa couldn’t be immediately reached for comment.
Verifone says it “immediately implemented additional security controls across its corporate networks” – although didn’t detail what those controls might have been – after it discovered the breach, and brought in law enforcement agencies to investigate. It’s also been reviewing what type of information attackers were trying to target, although has released no related details to date.
“It is also worth noting that there have been no adverse events or misuse of any data resulting from this incident,” Verifone’s Payment says. “We believe that our immediate response and coordination with partners and agencies has made the potential for misuse of information extremely limited.”
Industry on Edge After MICROS Breach
While the full details of the Verifone breach have yet to come to light, industry watchers will be tracking it closely to see if it was an attempt to mess with the code that runs on its payment-terminal devices. Enterprising hackers might, for example, sneak malware into the firmware a manufacturer uses to run its terminals, thus allowing attackers to later remotely siphon details for any payment cards that passed through infected terminals.
Such attacks appear to have hit at least some payment-terminal makers. Last year, Oracle warned that it had found “malicious code in certain legacy MICROS systems.” Acquired by Oracle in 2014, MICROS builds POS software and hardware that it says gets used across 330,000 customer sites in 180 countries.
That warning led Alex Holden, CISO at security and digital forensics firm Hold Security, to investigate whether other POS vendors might also have been targeted and breached. And Holden told ISMG that he identified at least 10 other POS vendors that also appeared to have been compromised, although he would only name Cin7, ECRS, NavyZebra, PAR Technology and Uniwell. He reported that “anywhere from 14 GB to 16 GB” of data in total had been exfiltrated from the 10 affected POS service providers.