Friday, July 14, 2017
Avanti representatives said kiosks do not store personally identifiable information (PII) and do not have universal configurations, which makes them less susceptible to wide-scale attacks. Customers who paid by credit card at infected kiosks during the malware's 72-hour window may have exposed card credentials; those who paid by "Market Card" may have exposed names and email addresses, company representatives noted. However, they confirmed that biometric data was protected by end-to-end encryption used in all Avanti fingerprint readers.
Jonathan Sander, Chief Technology Officer at STEALTHbits Technologies, said POS systems are not a big area of focus for many security professionals. "The POS systems are often brought in from the outside, used by contract or part-time employees, and even connected to networks that aren't fully IT managed," he said. "They live in a gray zone that makes them both hard to manage and easy to target."
Companies must act swiftly to update aging POS infrastructure, added Ido Wulkan, Intelligence Team Lead, IntSights Cyber Intelligence Ltd. Wulkan said criminals used similar attack vectors against Avanti and other major chains, such as Intercontinental Hotels in 2016. "This type of malware infects [POS] machines, collects the credit card data and transfers it to a remote server," he stated. "POS devices are known to operate on old and under-maintained systems, which makes them more susceptible and vulnerable to malware."
Wulkan also observed the Avanti threat actor used the same SSL certificate as the group behind the PoSeidon and Chanitor POS malware attacks. "This group tends to re-use its C&C infrastructure in different campaigns, and its servers are hosted in Eastern Europe, which might indicate that it is of Eastern-European origin," he stated. "The group utilized Microsoft Office Macro Vulnerabilities and phishing emails as attack vectors for its previous campaigns, which means these methods might also have been used for this campaign to some extent." Failing to protect external-facing computers can leave them open to unauthorized entrants who can infiltrate an organization's network and utilize vulnerabilities to attack POS systems, Wulkan said. He recommended the following tactics to mitigate against POS threats:
Gilad Peleg, Chief Executive Officer of SecBI, sees a tough road ahead for forensic investigators as they sift through millions of log files to identify the machines that communicated with outside IP addresses and correlating these incidents over the time-span of the breach. "Regardless of which incident response firm they have called to their aid, this task could take weeks and they should really consider using [artificial intelligence (AI) and machine learning algorithms] to reduce this time, deliver conclusive results and no false-positive alerts," he stated. SecBI's Autonomous Investigation technique uses AI and multiple layers of machine learning to mimic an expert cyber security analyst at machine speed investigating and hunting through billions of logs to detect the full scope of malicious incidents, Peleg noted. "As an example, we use unsupervised machine learning and cluster analysis to piece together seemingly benign events into suspicious incidents (clusters) that go undetected by other systems."
Lisa Baergen, Marketing Director at NuData Security, a Mastercard company, said the Avanti breach is a reminder of the need for organizations to rethink how they protect and verify user identities in the digital world. "Using a multilayered approach of integrating device intelligence, active and passive biometric analysis, and behavioral analytics is the key to truly understanding the user behind the device – which will effectively devalue the stolen identity data to any other person or entity," she added.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.