Verifone security breach may have compromised retail payments systems

Company admits security breach, but claims that "cyber intrusion" was only "limited"

Verifone, the retail systems vendor that claims to be the largest supplier of chip-and-pin credit and debit card terminals in the UK and the US, is investigating a serious security breach of its internal networks that could have affected customers running its point-of sale terminals.

The attack has echoes of the August 2016 breach of Oracle MICROS, the retail systems arm of the software giant, which it only acquired in 2014. When that breach was uncovered , the company divulged little information and played down the extent of the breach, suggesting that it was limited to its corporate network.

News of the Verifone breach was broken by security blogger Brian Krebs, who published an internal company email from 23 January giving all staff and contractors 24 hours to change their passwords.

"We are currently investigating an IT control matter in the Verifone environment," reads an email memo from Verifone CIO Steve Horan. "As a precaution, we are taking immediate steps to improve our controls."

At the same time, the company also barred staff from installing software "of any kind" on their corporate PCs and laptops.

"In January 2017, Verifone's information security team saw evidence of a limited cyber intrusion into our corporate network," Verifone spokesman Andy Payment admitted to Krebs.

He continued: "Our payment services network was not impacted. We immediately began work to determine the type of information targeted and executed appropriate measures in response. We believe today that due to our immediate response, the potential for misuse of information is limited."

Just as in the Oracle MICROS hack, the company refused to reveal much substantive information about the security breach.

However, Krebbs suggested that it came in response to a notification it had received from credit card organisations Visa and Mastercard. Kreb's source at Verifone suggested that, contrary to the company's suggestions, the breach had the potential to affect Verifone payments systems operated by customers.

"The intrusion impacted at least one corner of Verifone's business: A customer support unit based in Clearwater, Florida that provides comprehensive payment solutions specifically to gas and petrol stations throughout the US — including, pay-at-the-pump credit card processing; physical cash registers inside the fuel station store; customer loyalty programs; and remote technical support," wrote Krebs.

He added: "The source said his employer shared with the card brands evidence that a Russian hacking group known for targeting payment providers and hospitality firms had compromised at least a portion of Verifone's internal network."

Worse still, Krebs' information suggests that the hackers had been inside Verifone's systems for some time.

"Visa and MasterCard were notified that the intruders appeared to have been inside of Verifone's network since mid-2016. The source noted there is ample evidence the attackers used some of the same toolsets and infrastructure as the cybercrime gang that last year is thought to have hacked into Oracle's MICROS division," added Krebs.

The similarity with the Oracle MICROS attacks points in the direction of the well-known Russian cyber-crime gang called Carbanak. While Oracle did not release much public information about the attack either, it indicated that some source code had been compromised as a result.

After Krebs went public with the Verifone story, the company later admitted that "two dozen gas stations" had been targeted "over a short time frame", but that the extent of the compromise was not widespread.