Brian Krebs reported that credit and debit card payments giant Verifone is investigating a breach of its internal computer networks that appears to have impacted a number of companies running its point-of-sale solutions. Verifone says the extent of the breach was limited to its corporate network and that its payment services network was not impacted. IT security experts from Varonis, Imperva, VASCO, Balabit and CipherCloud commented below.
Brian Vecci, Technical Evangelist at Varonis:
“Unlike Target where a contractor’s credentials were used to compromise POS system, in this case the POS provider itself was compromised. With the prevalence of SaaS providers of all types replacing many in-house systems, organisations have to be more vigilant about what data they provide to their partners and how that data is secured.
“Much like the EU will mandate strict controls with GDPR for how EU citizen data needs to be treated, organisations should have clear policies for their vendors for how potentially sensitive information is treated once it’s in their hands. Every company needs their own GDPR-like policy for their own data. Vendors and other partners should be able to demonstrate security by design, regular risk assessments and effective detective and preventive controls on that data. The ones that do will have a clear competitive advantage now and especially in the future.”
Itsik Mantin, Director of Security Research at Imperva:
“Little information is available about the incident, but despite of Verifone clearing siren for the payment system remaining intact, there are many ways an infection can propagate from the enterprise network to the payment system.
“Whether or not it happened depends on many factors, one of the most important ones is how much time had passed from the breach to its discovery. From what we know, breaches remain undiscovered for weeks, months and sometimes even years when, during this period, attackers can collect sensitive data and record users credentials without interference. Then a single user that uses the same or similar password to access both the enterprise network and the payment system can be the bridge for the attacker to travel between the systems.
“With cyber criminals becoming more and more sophisticated and creative, they will continue finding their way in and we will continue hearing about breaches exposed. The challenge for organisations today is, even when losing some battles, keep winning the war. Security officers should operate under the assumption that the attackers are already inside their systems, looking for ways to deepen their grasp and crawling searching for business-critical data.”
John Gunn, CMO at VASCO Data Security:
“Breaches will remain a permanent part of our 21st century existence and hackers will maintain an advantage. They constantly probe for weaknesses in access controls, authentication methods, and other areas so that they can launch focused attacks using all of their means against specific weaknesses while the good guys are forced to spread their resources across a seemingly limitless number of potential vulnerabilities.”
Péter Gyöngyösi, Blindspotter Product Manager at Balabit:
“The fact that Verifone asked employees and contractors to change their passwords and restricted their control over their desktops and laptops suggests that the attackers followed the usual path to gain access to critical systems such as payment terminals: exploit different vulnerabilities to take control over the devices and the accounts of people already inside the company. This once again underscores the importance of a multi-layer, defense-in-depth approach to security. Keeping endpoint devices completely secure, especially in a large enterprise, is an impossible task and organizations must prepare for situations where an attacker would gain access to internal accounts. Fine-grained access control and detailed monitoring of activities – especially those related to critical systems – and advanced analytics such as behavior analysis can help security teams gain an edge over the attackers.”
Willy Leichter, VP of Marketing at CipherCloud:
“While it’s hard to know exactly the extend of the breach, it appears that Verifone reacted quickly to change passwords and tighten laptop security controls. Most security experts agree: it’s not if you get hacked, but when. What’s critical is that businesses have adaptive security technology and organizational controls in place to contain and limit the damage of any intrusion, and hopefully prevent data loss.”