[BreachExchange] Paid in Full: Why the MICROS Data Breach Could be More than Meets the Eye

[Audrey McNeil]

https://digitalguardian.com/blog/paid-full-why-micros-
data-breach-could-be-more-meets-eye

Data breaches come in all shapes and sizes. Some, like the attacks on
Target and Home Depot, are big, public, and expensive. Others can be small
and quiet, but no less expensive in the long run.

This week comes news of a smaller breach at MICROS, a maker of
point-of-sale systems that’s now owned by Oracle, that involves a
compromise of a customer portal. The attack appears to have affected only
about 700 customers, but that’s just the surface damage. MICROS is one of
the top makers of PoS systems in the world and has more than 300,000
customers spread around the world, most in the hotel and restaurant
industries. When engineers at Oracle discovered some malicious code in what
the company called legacy systems, it notified customers last month and
then forced password resets for the portal that reportedly was compromised.

Going after PoS systems themselves is nothing new. The last couple of years
have seen several major attacks that involved PoS compromises, including
the Target data breach. That incident involved the use of memory scraping
malware that was placed on PoS terminals in a number of stores around the
United States and resulted in one of the larger breaches in history, both
in terms of customers affected and economic damage to the company itself.
There are many known strains of malware that target PoS systems
specifically, and although the breach at MICROS apparently didn’t involve
any access to PoS systems themselves, it’s another link in the chain of
these operations.

Attackers covet PoS systems for a number of reasons. First, they’re lightly
defended, if they’re defended at all. Many PoS terminals have no endpoint
security software on them at all, and if they do, it can be bypassed by the
functionality of many kinds of PoS malware. Second, those terminals are
where the money is. The volume of card data that goes through a terminal at
even a small restaurant or hotel on a given day can be hugely valuable to
an attacker. Even though many systems encrypt data as it’s sent from the
terminal to the back end, memory scraping malware can grab the card data
before it’s encrypted in some cases.

The PoS payment networks have tentacles spread across the globe, and
they’re among the weaker pieces of the security puzzle right now. There are
any number of manufacturers who make the terminals and software and the
security practices in the payment industry are all over the map. Some
companies use strong encryption, others use older, weaker algorithms. Some
customers use endpoint security and many others don’t. Meanwhile, attackers
are having their way with all of it and consumers are none the wiser.

And it’s not just the PoS terminals themselves that are under siege. Last
week at the Black Hat security conference in Las Vegas, a pair of
researchers demonstrated a number of attacks that allowed them to bypass
the security of EMV cards and grab card data directly from pinpad devices.
Many of those devices have no authentication on them at all, and an
attacker can use a variety of active or passive man-in-the-middle attacks
to insert their own files onto the devices, inject forms to grab PIN
numbers, and ultimately defeat the added security afforded by EMV chip
cards.

It’s not a pretty picture right now, and it won’t get any better until the
manufacturers and users of these payments systems accept the reality that
their gear is squarely in the crosshairs of the attacker community.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160810/35c0ddb3/attachment.html>