A day after reports surfaced that payments company Verifone was probing a potential breach of its internal systems and attempted attacks on some affiliated point-of-sale (POS) systems, the company has soft-pedaled the incident, saying in a statement published by The Register that the attempt “was limited to approximately two dozen U.S. gas station convenience stores and occurred over a short time period.”
The company contended that “no other merchants were targeted and the integrity of our payment networks and Verifone’s payment terminals remained secure and fully operational.”
Verifone security pros, the statement said, “identified evidence of this very limited cyber intrusion into our corporate network in January 2017, and we proactively notified Visa, MasterCard and other card schemes.”
That tracks with a report from Brian Krebs, who first broke the story, that company Senior Vice President and CIO Steve Hornan sent a message to staff as well as contractors on Jan. 23 requesting they change their passwords within 24 hours and saying the company was “applying limitations to End User capabilities on desktops/laptops” that would “take away the end user’s ability to load any additional software on to the device.”
Joe Fantuzzi, CEO of RiskVision, said in comments emailed to SC Media that the breach “is clearly indicative of the escalating third-party risk related to POS systems that have plagued the retail sector as well as the ongoing risk” in segments of the financial services industry.
The breach seemed to take a familiar route. “The fact that Verifone asked employees and contractors to change their passwords and restricted their control over their desktops and laptops suggests that the attackers followed the usual path to gain access to critical systems such as payment terminals: exploit different vulnerabilities to take control over the devices and the accounts of people already inside the company,” said Péter Gyöngyösi, Blindspotter product manager at Balabit. “This once again underscores the importance of a multi-layer, defense-in-depth approach to security. Keeping endpoint devices completely secure, especially in a large enterprise, is an impossible task and organizations must prepare for situations where an attacker would gain access to internal accounts.”
The company drew praise for taking fast action. “While it’s hard to know exactly the extent of the breach, it appears that Verifone reacted quickly to change passwords and tighten laptop security controls. Most security experts agree: it’s not if you get hacked, but when,” Willy Leichter, vice president of marketing, CipherCloud, said in comments emailed to SC Media. “What’s critical is that businesses have adaptive security technology and organizational controls in place to contain and limit the damage of any intrusion, and hopefully prevent data loss.”
Verifone contended that its quick response mitigated potential damage from the breach. “We believe that our immediate response and coordination with partners and agencies has made the potential for misuse of information extremely limited,” the company statement said.
The Verifone breach also serves as a notice for organizations that the threat of attacks are frequent and persistent. “Breaches will remain a permanent part of our 21st century existence and hackers will maintain an advantage,” John Gunn, CMO, VASCO Data Security, said in emailed comments to SC Media. “They constantly probe for weaknesses in access controls, authentication methods, and other areas so that they can launch focused attacks using all of their means against specific weaknesses while the good guys are forced to spread their resources across a seemingly limitless number of potential vulnerabilities.”
And Fantuzzi warned against companies “underestimating the scope of risk that will likely hurt their risk posture” going forward. “Organizations that maintain that breaches are isolated incidents or are limited to certain areas of the network or time periods,” he said, “unfortunately are often unaware of the vast amount of vulnerabilities in their environment – including the criticality of those vulnerabilities or how they can individually impact the business.”