Paid in Full: Why the MICROS Data Breach Could be More than Meets the Eye
Data breaches come in all shapes and sizes. Some, like the attacks on Target and Home Depot, are big, public, and expensive. Others can be small and quiet, but no less expensive in the long run.
This week comes news of a smaller breach at MICROS, a maker of point-of-sale systems that’s now owned by Oracle, that involves a compromise of a customer portal. The attack appears to have affected only about 700 customers, but that’s just the surface damage. MICROS is one of the top makers of PoS systems in the world and has more than 300,000 customers spread around the world, most in the hotel and restaurant industries. When engineers at Oracle discovered some malicious code in what the company called legacy systems, it notified customers last month and then forced password resets for the portal that reportedly was compromised.
Going after PoS systems themselves is nothing new. The last couple of years have seen several major attacks that involved PoS compromises, including the Target data breach. That incident involved the use of memory scraping malware that was placed on PoS terminals in a number of stores around the United States and resulted in one of the larger breaches in history, both in terms of customers affected and economic damage to the company itself. There are many known strains of malware that target PoS systems specifically, and although the breach at MICROS apparently didn’t involve any access to PoS systems themselves, it’s another link in the chain of these operations.
Attackers covet PoS systems for a number of reasons. First, they’re lightly defended, if they’re defended at all. Many PoS terminals have no endpoint security software on them at all, and if they do, it can be bypassed by the functionality of many kinds of PoS malware. Second, those terminals are where the money is. The volume of card data that goes through a terminal at even a small restaurant or hotel on a given day can be hugely valuable to an attacker. Even though many systems encrypt data as it’s sent from the terminal to the back end, memory scraping malware can grab the card data before it’s encrypted in some cases.
The PoS payment networks have tentacles spread across the globe, and they’re among the weaker pieces of the security puzzle right now. There are any number of manufacturers who make the terminals and software and the security practices in the payment industry are all over the map. Some companies use strong encryption, others use older, weaker algorithms. Some customers use endpoint security and many others don’t. Meanwhile, attackers are having their way with all of it and consumers are none the wiser.
And it’s not just the PoS terminals themselves that are under siege. Last week at the Black Hat security conference in Las Vegas, a pair of researchers demonstrated a number of attacks that allowed them to bypass the security of EMV cards and grab card data directly from pinpad devices. Many of those devices have no authentication on them at all, and an attacker can use a variety of active or passive man-in-the-middle attacks to insert their own files onto the devices, inject forms to grab PIN numbers, and ultimately defeat the added security afforded by EMV chip cards.
It’s not a pretty picture right now, and it won’t get any better until the manufacturers and users of these payments systems accept the reality that their gear is squarely in the crosshairs of the attacker community.