It’s a retailer’s worst nightmare: Your point-of-sale (POS) terminals get hacked, compromising customer information and potentially shutting down your business. Despite the consequences, this scenario has played out with disturbing frequency lately.
Avanti Markets, which provides kiosks for vending machines in companies’ break rooms, is the latest company to suffer this fate. The Avanti breach comes on the heels of several similar high-profile POS cyberattacks earlier this spring.
The cyberattacks point to a continued vulnerability for retailers, as the hacks can not only damage a company’s reputation but potentially lead to identity theft for customers. Avanti’s case is particularly notable because customers’ biometric information might be at risk, since its kiosks allow users to pay via cash, credit cards or fingerprint scans.
Retailers need to assess their risks, encrypt data and adopt more secure technologies to prevent (or at least mitigate) any potential POS breaches.
Avanti President John Reilly said in a statement that on July 4, the company “discovered a sophisticated malware attack which affected kiosks” in some of its locations. The company claims 1.6 million users.
“Based on our investigation thus far, and although we have not yet confirmed the root cause of the intrusion, it appears the attackers utilized the malware to gain unauthorized access to customer personal information from some kiosks,” Reilly said. “Because not all of our kiosks are configured or used the same way, personal information on some kiosks may have been adversely affected, while other kiosks may not have been affected.”
The malware that hit Avanti was “designed to gather certain payment card information including the cardholder’s first and last name, credit/debit card number and expiration date,” Reilly said. Additionally, users of the company’s “Market Card option” may have had their names and email addresses compromised, “as well as their biometric information if they used the kiosk’s biometric verification functionality.” That refers to the fingerprint scanner.
According to security firm Risk Analytics, the malware is likely the PoSeidon or FindPOS malware, which Infosecurity Magazine notes has been circulating since 2015. “The presence of the PoSeidon/FindPOS SSL certificate is enough of an indicator that we’re comfortable using it to identify and block,” command and control operations, the firm said.
The breach comes several weeks after apparel retailer The Buckle reported a POS malware attack. And that breach came on the heels of another attack that hit Chipotle Mexican Grill, which affected “most” of the company’s locations nationwide earlier this spring.
Security analyst Brian Krebs notes on his blog that credit card machines and POS devices “are favorite targets of malicious hackers, mainly because the data stolen from those systems is very easy to monetize.”
Despite that, he says, the POS industry “has a fairly atrocious record of building insecure products and trying to tack on security only after the products have already gone to market.” That makes it “remarkable” that any POS terminal is collecting biometric data, Krebs says, adding that “any device that requests, stores or transmits biometric data should at a minimum ensure that the data remains strongly encrypted both at rest and in transit.”
How can retailers keep their POS terminals and customer data safe? Krebs says that breaches like the Avanti one “illustrate why it’s critically important for organizations to segment their internal networks, and to keep payment systems completely isolated from the rest of the network.”
A Payment Week article also highlights key steps retailers can take. In addition to conducting risk assessments and updating anti-malware and other cybersecurity solutions regularly, the article notes that “data should be encrypted before it enters” a POS system “using an external payment device, through hardware encryption.” In that case, the POS system “does not process or store — even in memory —‘clear text’ credit card information; it only sees encrypted data that cannot be compromised.”
Meanwhile, the article adds, retailers should adopt EMV (“chip card”) technology to prevent hackers from using credit card information to create fraudulent cards. And tokenization technology can offer “an additional layer of security that enables retailers to conduct routine payment operations, such as processing sales or refunds, without the risk of storing credit card information on their networks.”
Security firm Trustwave adds in a blog post that solutions “such as web security gateways, data loss prevention, firewalls, intrusion prevention systems and endpoint protection can help identify attacks and close off ingress and egress points that can be misused.” Such solutions can allow retailers to “identify malware in real time, scan outgoing web traffic, block attacks, restrict access and ensure only explicitly permitted ports and services are communicating with your network.”