The Green Sheet Online Edition
March 27, 2017 • Issue 17:03:02
Petro retailers 'low-hanging fruit' in Verifone intrusion
Global technology giant Verifone Systems Inc. confirmed reports of an illegal entry into its corporate intranet. The intrusion, detected in January 2017, may have affected about 24 gas station convenience stores, the company stated. Security analyst Brian Krebs disclosed the incident March 7, 2017, in a blog post on KrebsonSecurity.com. The story was immediately picked up by other news outlets, including Fortune, Reuters and Business Insider.
Krebs believes a phishing email may have precipitated the attack. When the company's IT department detected the intrusion in January, it limited end-user capabilities on desktops and laptops and directed employees to change their company passwords. Verifone employees were also permanently banned from downloading and installing software, Krebs noted.
Addressing the issues
Krebs also observed U.S. pay-at-the-pump retailers will be among the last to migrate from magnetic stripe readers to more secure EMV (Europay, Mastercard and Visa) technology. In December 2016, Mastercard and Visa agreed to extend the liability shift deadline from Oct. 1, 2017, to Oct. 1, 2020, due to the great expense and complexity of the requisite system-wide upgrades.
The extension makes the segment "low-hanging fruit" for fraudsters, Krebs stated. "Now that [pay-at-the-pump retailers] have another three years to get it done, thieves will continue to attack fuel station dispensers and other unattended terminals with skimmers and by attacking point-of-sale terminal hardware makers, integrators and resellers," he wrote.
Thirty-five-year-old Verifone has approximately 30 million devices deployed across 150 countries. "Verifone is aware of several news reports issued today discussing a cyber incident that occurred approximately two months ago," Verifone spokesman Andy Payment said in a March 7 statement. "We are providing information to help address questions that may arise as a result of these stories."
Additionally, Payment stated that the incident has been contained, the attack was limited in scope, Verifone has strengthened its security, no immediate effects of the attack have been reported and Verifone maintains a positive outlook.
Recent attacks against government and private infrastructure, combined with increasingly virtual workplaces, reflect the need for enhanced protections and managed permission levels to mitigate risk and protect business owners and consumers. Growing adoption of cloud and mobile technologies inspired Google to launch BeyondCorp, a security initiative designed to go beyond the firewalls and perimeters of corporate networks by protecting employees, contractors and vendors wherever they happen to be working.
Heather Adkins, Director of Information Security and Privacy, and Rory Ward, Site Reliability Engineering Manager at Google, shared insights and lessons learned at the 2017 RSA Conference. They designed BeyondCorp's framework around users, devices and levels of trust and access. This enabled them to track users and devices throughout their lifecycles at the company, while assigning appropriate levels of trust and access. For example, a desktop computer could be fully trusted, while a tablet is half-trusted and a phone is an untrusted or low-trust device, Adkins said.
Migrating tens of thousands of Googlers and vendors was almost as difficult as inventing the technology, Ward added. The company built a migration pipeline and looked at all the data, directing qualified data to the new network and leaving disqualified data on the old network. Then Google's team would identify the most egregious use cases, fix it and do it again, Adkins said.
After implementing the program, Adkins and Ward offered the following advice: have zero trust in your network, base all access decisions on what you know about users and devices, and migrate carefully and try to avoid "breaking" existing users.
"BeyondCorp isn't a product, project, or company – it's a set of guiding principles that spans the people, process, and technology within an organization," Google stated on the BeyondCorp website. "You don't have to be Google, or operate at Google scale, to benefit from the patterns behind BeyondCorp – you just have to be willing to move past legacy thinking."
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.