This week, it was reported that a Russian organized cybercrime group known for hacking into banks and retailers appears to have breached hundreds of computer systems at software giant Oracle Corp. Although the size and scope of the breach is not yet determined, Krebs on Security reported that Oracle had detected malicious code in more than 700 infected MICROS systems. Oracle’s MICROS is among the top three point-of-sale vendors globally, and sells point-of-sale (POS) systems used at more than 330,000 cash registers worldwide.
A source briefed on the investigation says the breach likely started with a single infected system inside of Oracle’s network that was then used to compromise additional systems. Among those was a customer “ticketing portal” that Oracle uses to help MICROS customers remotely troubleshoot problems with their point-of-sale systems. Those sources further stated that the intruders placed malicious code on the MICROS support portal, and that the malware allowed the attackers to steal MICROS customer usernames and passwords when customers logged in the support Web site.
As with any data breach, the aftermath is often a lengthy process to navigate, and hopefully, as Oracle is forcing a password reset for all support accounts on the MICROS portal, MICROS customers can avoid any potential havoc that the malware intrusion could wreak. But the fear of what could be is real, as hackers could potentially use the compromised credentials to remotely upload card-stealing malware onto the exposed MICROS point-of-sale systems.
Malware – Silent and Stealthy
Malware is an umbrella term used to refer to a variety of forms of hostile or intrusive software, including computer viruses, worms, Trojan horses, ransomware, and other malicious programs. It can take the form of executable code, scripts, active content, and other software.
POS-based malware has driven most of the credit card breaches over the past two years, including intrusions at Target and Home Depot, as well as breaches at a slew of POS vendors. The malware usually is installed via hacked remote administration tools. Once the attackers have their malware loaded onto the point-of-sale devices, they can remotely capture data from each card swiped at that cash register.
Thieves can then sell the data to crooks who specialize in encoding the stolen data onto any card with a magnetic stripe, and using the cards to buy gift cards and high-priced goods from big-box stores like Target and Best Buy.
This recent hack wasn’t the first time MICROS was the victim of malware. A year ago, researchers discovered MalumPos – a memory scraping malware program created to steal payment card information encoded on the magnetic stripe of payment cards – was designed to collect data from POS systems running on the Oracle MICROS platform.
EMV was once “Touted” as the Cure for Breaches
Last October, retailers and banks began replacing regular magnetic stripe card readers with EMV as the in-store counterfeit fraud liability shifted from card issuers like Visa and MasterCard to banks and merchants. The mandate came amid high-profile breaches of retailers like Home Depot and Target, and perhaps because of this timing, a mindset developed that EMV technology would stop the breaches from happening.
Retailers and industry experts alike looked to EMV to provide enhanced security and protection of debit/credit cards. But in spite of industry assurances that EMV guarantees more security, malware data breaches continue at a record pace.
Proof that EMV was not the silver bullet solution recently unveiled itself at the Black Hat USA summit in Las Vegas, where computer security experts at the payment technology company, NCR, uncovered a basic, yet obvious security flaw.
Nir Valtman and Patrick Watson of NCR demonstrated new attack methods that can intercept credit card data on both software (POS systems) and hardware (devices) systems and can even surprisingly, and successfully, obtain PIN and CVV codes.
“There’s a common misperception EMV solves everything. It doesn’t,” said Patrick Watson, one of NCR’s researchers.
According to CNNMoney, which first reported the discovery, when a consumer swipes the magnetic stripe of a card with a chip in it, the magnetic reader (device) is programmed to alert the payment machine (POS software). The machine then prompts the consumer to insert their card into the chip reader, instead. But according to NCR, hackers can rewrite the code of the magnetic stripe so the card appears to be chipless – allowing thieves to keep counterfeiting — just like they did before the nationwide switch to chip cards.
There are multiple ways in which POS terminals get infected with malware, but there are not multiple solutions to stop it. Encryption of card data in transit (within a POS system) and at rest (stored in the network) are both imperative, key steps in rendering card data useless to hackers looking to steal clear-text data. Encryption has gained ground in understanding and acceptance, but before encryption was a serious discussion among security experts, it took a backseat to EMV.
Black Hat/NCR Hacker Demo shows Point-to-Point Encryption is Necessary
The NCR researchers’ attack works because the POI (point of interaction) devices such as card readers and PIN pads do not encrypt the data they send to the POS system software, nor do they authenticate to make sure they are talking to their correct counterpart.
NCR’s demo displayed how simple it is for thieves to steal credit card data from the POS system as well as EMV card, but their researchers were also able to recommend a solution, explaining that in order to mitigate these attacks, P2PE needs to be implemented on POI devices.
Bluefin’s PCI-validated P2PE solutions encrypt cardholder data at the POI in a PCI-approved P2PE device, preventing clear-text cardholder data from being present in a merchant or enterprise’s system or network where it could be accessible in the event of a data breach. In June 2016, Bluefin was issued its first patent on P2PE, Systems and Methods for Creating Fingerprints of Encryption Devices, with additional patents pending.