Verifone hacked

Bolt P2PE and CardConnect
July 18, 2017
POS Terminals
What is being done to speed up EMV processing
August 1, 2017
Bolt P2PE and CardConnect
July 18, 2017
POS Terminals
What is being done to speed up EMV processing
August 1, 2017
Show all

Tired businessman with laptop on desk in office

The list of companies that have been hit with data breaches is seemingly endless. In January the payment heavyweight Verifone was hit by a breach. The San Jose, California based company is the largest maker of POS terminals in the US.

Verifone claims that the breach occurred only on its internal network and that no payment data was stolen (this was on a separate network). Employees were ordered to change their passwords within 24 hours and Verifone also set a policy that employees would no longer be able to install software on their computers.

While Verifone’s response was swift when they learned of it, it is possible that the breach may have originally occurred sometime in mid-2016. It is believed that this is similar to a breach at Oracle that targeted their payment processing software. Malware was able to be installed that siphoned off usernames and passwords to accounts using their system. It is believed a small number of service stations were victims in this most recent breach. These are the easiest potential target as service stations have been given the longest amount of time to make the changeover to the new EMV systems. Originally they were facing an October 2017 deadline for a shift in liability but that has been pushed back for three more years.

The aim of the criminals was to access the network to gain usernames and passwords from the customers. This would allow the criminals to get a hold of the terminal’s information and create a backdoor for themselves which they could then use to steal customer information. Either way (and if true), six months is a long time for someone to be snooping around an industry giant’s network without being caught.

Verifone believes it caught the intrusion in time. There is some question about whether they caught it themselves or whether they were alerted by a third party like Visa or MasterCard about it. Considering the response the intrusion may have come from software installed on an employee’s computer, which could have made this breach much worse.

Use this as a lesson. Install only software that is necessary on work computers. While employees may like to customize their computer or are familiar with a different web browser or something like that this can only lead to problems as Verifone found out. It may be a good idea to allow trusted programs or apps so that the user can have some customization and make them feel more comfortable but to blacklist everything else. These computers access your network and potentially everything else on it, from client lists to tax information and any flaw can potentially allow someone in that should not be in. Do not make it worse and leave the door unlocked for thieves.