Petro retailers 'low-hanging fruit' in Verifone intrusion

Global technology giant Verifone Systems Inc. confirmed reports of an illegal entry into its corporate intranet. The intrusion, detected in January 2017, may have affected about 24 gas station convenience stores, the company stated. Security analyst Brian Krebs disclosed the incident March 7, 2017, in a blog post on KrebsonSecurity.com. The story was immediately picked up by other news outlets, including Fortune, Reuters and Business Insider.

Krebs believes a phishing email may have precipitated the attack. When the company's IT department detected the intrusion in January, it limited end-user capabilities on desktops and laptops and directed employees to change their company passwords. Verifone employees were also permanently banned from downloading and installing software, Krebs noted.

Pay-at-the-pump vulnerabilities

Krebs also observed U.S. pay-at-the-pump retailers will be among the last to migrate from magnetic stripe readers to more secure EMV (Europay, Mastercard and Visa) technology. In December 2016, Mastercard and Visa agreed to extend the liability shift deadline from Oct. 1, 2017, to Oct. 1, 2020, due to the great expense and complexity of the requisite system-wide upgrades.

The extension makes the segment "low-hanging fruit" for fraudsters, Krebs stated. "Now that [pay-at-the-pump retailers] have another three years to get it done, thieves will continue to attack fuel station dispensers and other unattended terminals with skimmers and by attacking point-of-sale terminal hardware makers, integrators and resellers," he wrote.

Verifone strengthens network

Thirty-five-year-old Verifone has approximately 30 million devices deployed across 150 countries. "Verifone is aware of several news reports issued today discussing a cyber incident that occurred approximately two months ago," Verifone spokesman Andy Payment said in a March 7 statement. "We are providing information to help address questions that may arise as a result of these stories."

Additionally, Payment iterated five key points:

1. The incident has been contained: Verifone security experts are working with third-party forensic teams in an ongoing investigation. Initial discoveries suggest the cyber attempt was limited to approximately two dozen convenience stores over a short time period. "No other merchants were targeted and the integrity of our payment networks and Verifone's payment terminals remained secure and fully operational," Payment stated.

2. The attack was limited in scope: Security analysts notified Visa, Mastercard and other card schemes in January 2017, when they first identified signs of a limited cyber intrusion in Verifone's corporate network.

3. Verifone has strengthened security: Verifone immediately implemented additional security controls across its corporate networks, in concert with its partners, and began work to determine the type of information that may have been targeted.

4. No immediate effects have been reported: "It is also worth noting that there have been no adverse events or misuse of any data resulting from this incident," Payment stated. "Verifone, partner agencies, and law enforcement remain vigilant and will continue to monitor for this."

5. Verifone maintains a positive outlook: Payment additionally noted that Verifone's immediate and coordinated response with partners and agencies limits the potential misuse of information.

BeyondCorp, beyond firewalls

Recent attacks against government and private infrastructure, combined with increasingly virtual workplaces, reflect the need for enhanced protections and managed permission levels to mitigate risk and protect business owners and consumers. Growing adoption of cloud and mobile technologies inspired Google to launch BeyondCorp, a security initiative designed to go beyond the firewalls and perimeters of corporate networks by protecting employees, contractors and vendors wherever they happen to be working.

Heather Adkins, Director of Information Security and Rory Ward, Site Reliability Engineering Manager at Google, shared insights and lessons learned at the 2017 RSA Conference. They designed BeyondCorp's framework around users, devices and levels of trust and access. This enabled them to track users and devices throughout their lifecycles at the company, while assigning appropriate levels of trust and access. For example, a desktop computer could be fully trusted, while a tablet is half-trusted and a phone is an untrusted or low-trust device, Adkins said.

Migrating tens of thousands of Googlers and vendors was almost as difficult as inventing the technology, Ward added. The company built a migration pipeline and looked at all the data, directing qualified data to the new network and leaving disqualified data on the old network. Then Google's team would identify the most egregious use cases, fix it and do it again, Adkins said.

After implementing the program, Adkins and Ward offered the following advice: have zero trust in your network, base all access decisions on what you know about users and devices, and migrate carefully and try to avoid "breaking" existing users.

"BeyondCorp isn't a product, project, or company – it's a set of guiding principles that spans the people, process, and technology within an organization," Google stated on the BeyondCorp website. "You don't have to be Google, or operate at Google scale, to benefit from the patterns behind BeyondCorp – you just have to be willing to move past legacy thinking."

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.