POS Breach Spans 2 YearsExperts: Duration Points to Significant Security Gaps
But now a new payment card breach, this time striking a company that supplies vending machines and games to entertainment venues, has reignited concerns about POS system security.
Wisconsin-based Vacationland Vendors recently posted an alert on its website, warning consumers that a POS breach at one of the venues it serves likely exposed credit and debit card details. The breach at Wilderness Resorts in Wisconsin and Tennessee could have exposed card details related to transaction made between Dec. 12, 2008 and May 25, 2011. Vacationland did not say when the breach was discovered, the number of cards suspected exposed, or if the breach affected only vending transactions.
"Vacationland Vendors recently discovered that an unauthorized person wrongfully accessed certain parts of the point of sales systems that Vacationland Vendors uses to process credit and debit transactions at the Wilderness Resorts," the statement reads. "Based upon its investigation to date, Vacationland Vendors reasonably believes that a computer hacker improperly acquired credit card and debit information. This incident did not involve an internal security issue within the Wilderness Resort. Vacationland Vendors has learned that other businesses just like its own have been affected by this computer hacker."
One estimate suggests 40,000 cardholders could be affected.
A Long TimeJohn Buzzard, who tracks card transaction anomalies for FICO's Card Alert Service, says it's too early to know how many cards truly were exposed, how many have been hit with fraudulent transactions and whether the breach at Wilderness Resorts is linked to any other entertainment-park or merchant POS attacks. What is telling, however, is the duration of the compromise.
"The window of exposure is Dec. 12, 2008, through May 25, 2011," he says. "That's a long time for malware or some other method to continually compromise a merchant without being detected," suggesting some other type attack likely led to the breach.
George Tubin, a banking and payments fraud analyst, says the hack is likely connected to a POS skimming attack, which could be similar to the scheme that hit Michaels stores or that could have been aimed only at Vacationland vending machines. A physical attack would explain how the exposure spanned a two-and-a-half year period without being detected.
"Hacking into these systems is easy," Tubin says. "If someone has complete access, it's fairly easy to put a card-skimming device in that looks like it's integrated into the POS system. With a little more effort, they can also capture PINs if they're used. So, it's not necessary to hack into the network when they can get the information with brute force. Vendors have developed tamper proof readers, so that any attempt to alter them is caught."
The same method of POS device swapping was used more than year ago against Hancock Fabrics, which led to card fraud that affected more than 140 customers in three states.
Most industry experts, however, say POS swapping schemes are rare. It's risky for fraudsters to physically switch or swap POS devices, especially when the devices are located at manned checkout lanes, as was the case in the incidents that hit Michaels and Hancock.
In the Wilderness Resorts breach, McAfee Consultant Robert Siciliano suggests the breach more likely was linked to unmanned, self-service terminals that could have been physically attacked, but were probably remotely hacked.
"In this situation, it doesn't seem like it was a hardware breach, like Michaels, but more of a software breach," he says. "Many of these kiosk-based systems still rely on WindowsXP. We know XP is fraught with vulnerabilities that, if not patched, make it a big target. Most kiosks, including many ATMs, have remote access technologies allowing for service. These systems are live, connected to the Internet, and have a port accessible online for service. Bad guys scan these known channels and perform brute-force attacks. Anytime you meld remote access and WindowsXP, you are vulnerable."
In August 2010, during a Black Hat convention in Las Vegas, ethical hacker Barnaby Jack, formerly of Juniper Networks, demonstrated how easily a hacker could infect an ATM without physical contact. During the event, Jack attacked two common retail ATM models with malware, giving him control to collect card details and manipulate the machines to spit out cash on cue. Jack bypassed the remote authentication system using a homemade rootkit that attacked one of the ATM's Windows operating system, giving him undetected system-administrative privileges.
Siciliano says the industry is aware of the vulnerabilities unattended self-service payment terminals pose, and is working to address those security gaps with centralized monitoring. "Over the next year there will be more cloud-based kiosks and ATMs that will allow for central monitoring and security," he says. "These devices will lack many of the internal physical components that the current ones have," ultimately making them more secure.