GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View flipbook of this issue

Care to Share?


Table of Contents

Lead Story

Global digital payments beckon

Patti Murphy

News

Industry Update

Betting on ATMs, PAI sells acquiring arm to Clearent

Petro retailers 'low-hanging fruit' in Verifone intrusion

Mastercard, Oracle expand cross-channel initiative

SEC charges former iPayment execs, ex-CEO under fire

Features

European hoteliers get tech savvy

Mark Dunn

Views

Merchant first, service second

Dale S. Laszig
DSL Direct LLC

Thoughts on the future of payments (and the wine biz)

Brandes Elitch
CrossCheck Inc.

Education

Street SmartsSM:
Keep fighting, keep innovating, keep closing

John Tucker
1st Capital Loans LLC

A legal take on the rise of legitimate aggregation

Adam Atlas
Attorney at Law

Company Profile

Ingenico Group

New Products

Secure, international B2B receivables

Global B2B receivables
Flywire

Versatile solutions to expand capabilities, reduce PCI scope

Semi-integrated Solutions
ExaDigm Inc.

Inspiration

Selling during merchants' slow times

Departments

Readers Speak

Letter from the editors

Resource Guide

Datebook

A Bigger Thing

The Green Sheet Online Edition

March 27, 2017  •  Issue 17:03:02

previous next

Petro retailers 'low-hanging fruit' in Verifone intrusion

Global technology giant Verifone Systems Inc. confirmed reports of an illegal entry into its corporate intranet. The intrusion, detected in January 2017, may have affected about 24 gas station convenience stores, the company stated. Security analyst Brian Krebs disclosed the incident March 7, 2017, in a blog post on KrebsonSecurity.com. The story was immediately picked up by other news outlets, including Fortune, Reuters and Business Insider.

Krebs believes a phishing email may have precipitated the attack. When the company's IT department detected the intrusion in January, it limited end-user capabilities on desktops and laptops and directed employees to change their company passwords. Verifone employees were also permanently banned from downloading and installing software, Krebs noted.

Addressing the issues

Krebs also observed U.S. pay-at-the-pump retailers will be among the last to migrate from magnetic stripe readers to more secure EMV (Europay, Mastercard and Visa) technology. In December 2016, Mastercard and Visa agreed to extend the liability shift deadline from Oct. 1, 2017, to Oct. 1, 2020, due to the great expense and complexity of the requisite system-wide upgrades.

The extension makes the segment "low-hanging fruit" for fraudsters, Krebs stated. "Now that [pay-at-the-pump retailers] have another three years to get it done, thieves will continue to attack fuel station dispensers and other unattended terminals with skimmers and by attacking point-of-sale terminal hardware makers, integrators and resellers," he wrote. Thirty-five-year-old Verifone has approximately 30 million devices deployed across 150 countries. "Verifone is aware of several news reports issued today discussing a cyber incident that occurred approximately two months ago," Verifone spokesman Andy Payment said in a March 7 statement. "We are providing information to help address questions that may arise as a result of these stories."

Additionally, Payment stated that the incident has been contained, the attack was limited in scope, Verifone has strengthened its security, no immediate effects of the attack have been reported and Verifone maintains a positive outlook.

Beyond firewalls

Recent attacks against government and private infrastructure, combined with increasingly virtual workplaces, reflect the need for enhanced protections and managed permission levels to mitigate risk and protect business owners and consumers. Growing adoption of cloud and mobile technologies inspired Google to launch BeyondCorp, a security initiative designed to go beyond the firewalls and perimeters of corporate networks by protecting employees, contractors and vendors wherever they happen to be working.

Heather Adkins, Director of Information Security and Privacy, and Rory Ward, Site Reliability Engineering Manager at Google, shared insights and lessons learned at the 2017 RSA Conference. They designed BeyondCorp's framework around users, devices and levels of trust and access. This enabled them to track users and devices throughout their lifecycles at the company, while assigning appropriate levels of trust and access. For example, a desktop computer could be fully trusted, while a tablet is half-trusted and a phone is an untrusted or low-trust device, Adkins said.

Migrating tens of thousands of Googlers and vendors was almost as difficult as inventing the technology, Ward added. The company built a migration pipeline and looked at all the data, directing qualified data to the new network and leaving disqualified data on the old network. Then Google's team would identify the most egregious use cases, fix it and do it again, Adkins said.

After implementing the program, Adkins and Ward offered the following advice: have zero trust in your network, base all access decisions on what you know about users and devices, and migrate carefully and try to avoid "breaking" existing users.

"BeyondCorp isn't a product, project, or company – it's a set of guiding principles that spans the people, process, and technology within an organization," Google stated on the BeyondCorp website. "You don't have to be Google, or operate at Google scale, to benefit from the patterns behind BeyondCorp – you just have to be willing to move past legacy thinking."

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Humboldt Merchant Services | Impact Paysystems | Electronic Merchant Systems