Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

12/12/2014
05:45 PM
50%
50%

Attackers Turn Focus To PoS Vendors

The recently reported attack on Charge Anywhere puts the payment solutions provider on a list of PoS vendors attacked this year.

This week, the payment gateway solution provider Charge Anywhere revealed that it had been victimized by a data breach that may have compromised data going as far back as 2009.

Charge Anywhere provides payment gateway services, cloud point-of-sale (PoS) solutions, mobile PoS, and other technologies aimed at banks, enterprises, and payment processors. The attack stands as another example of hackers targeting payment card data by going after PoS vendors, as opposed to just merchants.

In September, the PoS system vendor Signature Systems acknowledged it was the source of a breach in which an attacker gained access to a username and password the company used to access PoS systems remotely; the attacker used that name and password to install data-stealing malware. In June, Information Systems & Supplies announced that it had been breached, and that customer data had been exposed.

"I would expect attacks like this to become more frequent and more widespread for the reason that seems to be underreported on this breach -- the substantial increase in mobile payments due to ease of use, and the ability to accept payments quickly, especially to smaller businesses," says CounterTack vice president of security strategy Tom Bain. "Users expect and have a blind trust in applications that support their business -- and just expect that security measures are taken to protect them. In just a six-month span this year, mobile malware attacks have increased [by six times] globally."

According to Charge Anywhere, an investigation began when the company was asked to look into fraudulent charges that appeared on cards that had been used legitimately at certain merchants. The investigation revealed that an attacker gained access to the network and installed malware that was then used to create the ability to capture segments of outbound network traffic. Though most of the outbound traffic was encrypted, "the format and method of connection for certain outbound messages enabled the unauthorized person to capture and ultimately then gain access to plain text payment card transaction authorization requests," the company says on its website.

The malware was discovered Sept. 22.

"During the exhaustive investigation, only files containing the segments of captured network traffic from August 17, 2014 through September 24, 2014 were identified," according to the company. "Although we only found evidence of actual network traffic capture for this short time frame, the unauthorized person had the ability to capture network traffic as early as November 5, 2009."

Chris Messer, vice president of technology at the private cloud and managed IT services provider Coretelligent, argues that the outbound encryption element of this story and the technical details that are not being shared raise flags. The Charge Anywhere breach reinforces the need for all organizations that entrust their data to outside parties to perform due diligence to ensure those third parties are adhering to industry standard best practices and reference architecture designs.

"The statement by Charge Anywhere in and of itself is rather contradictory, likely indicating that they were not leveraging full end-to-end encryption for all data during transmission, and there were clearly technical shortcomings to their architecture that the attackers were able to exploit in order to sniff/collect their raw data traffic containing this transactional data," he says. "It is also possible that their production network was not properly segmented, allowing an insecure workstation to directly access their production network where transactional data was being processed/transmitted."

Lancope CTO TK Keanini says he expects aggregation points in other sectors to be at higher risk, as well.

"I do expect to see more of this because of two factors. Everyone is growing more and more connected -- customers, partners, firms -- and in this mesh, the attacker can pick any entry point, no matter where they want to ultimately target. The second factor is, with this hyperconnectivity, attackers can go after targets that aggregate information instead of having to compromise individual systems," he says. "Why go after 1,000 targets when those 1,000 targets all aggregate at a single point of compromise? This pattern is not new. It is just the smart way to go about doing the work."

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
12/14/2014 | 11:51:04 PM
Encryption
On the one hand, maybe they deserve a teensy bit of a pass (in the court of public opinion -- though not in actual courts of law) because the breaches appear to go back five years, but in this day and age, there's really no excuse for failing to use end-to-end encryption.
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
Capital One Breach: What Security Teams Can Do Now
Dr. Richard Gold, Head of Security Engineering at Digital Shadows,  8/23/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15540
PUBLISHED: 2019-08-25
filters/filter-cso/filter-stream.c in the CSO filter in libMirage 3.2.2 in CDemu does not validate the part size, triggering a heap-based buffer overflow that can lead to root access by a local Linux user.
CVE-2019-15538
PUBLISHED: 2019-08-25
An issue was discovered in xfs_setattr_nonsize in fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9. XFS partially wedges when a chgrp fails on account of being out of disk quota. xfs_setattr_nonsize is failing to unlock the ILOCK after the xfs_qm_vop_chown_reserve call fails. This is primarily a ...
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.