March 8, 2017
By Kevin Woodward
VeriFone Systems Inc. acknowledged that hackers targeted two dozen convenience stores in an attempt to get at sensitive payment data by infiltrating the point-of-sale terminal maker’s corporate network in January.
The confirmation follows a report Tuesday on KrebsOnSecurity.com that disclosed the attack. The site, which specializes in information-technology threats and attacks, reported evidence suggesting a Russian hacking group “known for targeting payment providers and hospitality firms had compromised at least a portion of Verifone’s internal network.”
In a statement emailed to Digital Transactions News, San Jose, Calif.-based VeriFone called the incident a “very limited cyber intrusion” that was confined to the 24 convenience stores over a short time. “No other merchants were targeted and the integrity of our payment networks and Verifone’s payment terminals remained secure and fully operational,” VeriFone said.
VeriFone said its information security staff discovered the intrusion and instituted additional security controls, which included requiring password changes and limiting software installations on company computers, KrebsOnSecurity.com reported.
Concurrent with the discovery of the breach, VeriFone notified the card brands. “It is also worth noting that there have been no adverse events or misuse of any data resulting from this incident,” the company said in its statement. “Verifone, partner agencies, and law enforcement remain vigilant and will continue to monitor for this.”
While the hackers weren’t able to wreak widespread havoc, according to VeriFone, their misdeeds are not to be dismissed, experts say.
“Breaches will remain a permanent part of our 21st century existence and hackers will maintain an advantage,” said John Gunn, chief marketing officer at Vasco Data Security N.V., an Oakbrook Terrace, Ill.-based security and authentication company, in a statement. “They constantly probe for weaknesses in access controls, authentication methods, and other areas so that they can launch focused attacks using all of their means against specific weaknesses while the good guys are forced to spread their resources across a seemingly limitless number of potential vulnerabilities."
Indeed, in the infamous breach of Target Corp., criminals were able to access the retailer’s POS system after they stole the system’s credentials Target provided a heating-ventilation-air conditioning contractor.
VeriFone is the latest in a long string of payments companies suffering a breach, and likely won’t be the last.
“While it’s hard to know exactly the extent of the breach, it appears that Verifone reacted quickly to change passwords and tighten laptop security controls,” noted Willy Leichter, vice president of marketing at CipherCloud, a San Jose, Calif.-based cloud security provider, in a statement on the incident. “Most security experts agree: it’s not if you get hacked, but when. What’s critical is that businesses have adaptive security technology and organizational controls in place to contain and limit the damage of any intrusion, and hopefully prevent data loss."
SPECIAL FEATURERead Digital Transactions Online