Brian Krebs reported that credit and debit card payments giant Verifone is investigating a breach of its internal computer networks that appears to have impacted a number of companies running its point-of-sale solutions. Verifone says the extent of the breach was limited to its corporate network and that its payment services network was not impacted. IT security experts from Varonis, Imperva, VASCO, Balabit and CipherCloudcommented below.
“Unlike Target where a contractor’s credentials were used to compromise POS system, in this case the POS provider itself was compromised. With the prevalence of SaaS providers of all types replacing many in-house systems, organisations have to be more vigilant about what data they provide to their partners and how that data is secured.
“Much like the EU will mandate strict controls with GDPR for how EU citizen data needs to be treated, organisations should have clear policies for their vendors for how potentially sensitive information is treated once it’s in their hands. Every company needs their own GDPR-like policy for their own data. Vendors and other partners should be able to demonstrate security by design, regular risk assessments and effective detective and preventive controls on that data. The ones that do will have a clear competitive advantage now and especially in the future.”
Itsik Mantin, Director of Security Research at Imperva:
“Little information is available about the incident, but despite of Verifone clearing siren for the payment system remaining intact, there are many ways an infection can propagate from the enterprise network to the payment system.
“Whether or not it happened depends on many factors, one of the most important ones is how much time had passed from the breach to its discovery. From what we know, breaches remain undiscovered for weeks, months and sometimes even years when, during this period, attackers can collect sensitive data and record users credentials without interference. Then a single user that uses the same or similar password to access both the enterprise network and the payment system can be the bridge for the attacker to travel between the systems.
“With cyber criminals becoming more and more sophisticated and creative, they will continue finding their way in and we will continue hearing about breaches exposed. The challenge for organisations today is, even when losing some battles, keep winning the war. Security officers should operate under the assumption that the attackers are already inside their systems, looking for ways to deepen their grasp and crawling searching for business-critical data.”
“Breaches will remain a permanent part of our 21st century existence and hackers will maintain an advantage. They constantly probe for weaknesses in access controls, authentication methods, and other areas so that they can launch focused attacks using all of their means against specific weaknesses while the good guys are forced to spread their resources across a seemingly limitless number of potential vulnerabilities.”
.
Péter Gyöngyösi, Blindspotter Product Manager at Balabit: “The fact that Verifone asked employees and contractors to change their passwords and restricted their control over their desktops and laptops suggests that the attackers followed the usual path to gain access to critical systems such as payment terminals: exploit different vulnerabilities to take control over the devices and the accounts of people already inside the company. This once again underscores the importance of a multi-layer, defense-in-depth approach to security. Keeping endpoint devices completely secure, especially in a large enterprise, is an impossible task and organizations must prepare for situations where an attacker would gain access to internal accounts. Fine-grained access control and detailed monitoring of activities – especially those related to critical systems – and advanced analytics such as behavior analysis can help security teams gain an edge over the attackers.”
“While it’s hard to know exactly the extend of the breach, it appears that Verifone reacted quickly to change passwords and tighten laptop security controls. Most security experts agree: it’s not if you get hacked, but when. What’s critical is that businesses have adaptive security technology and organizational controls in place to contain and limit the damage of any intrusion, and hopefully prevent data loss.”
ISBuzz Team embodies the collaborative efforts of the dedicated staff at Information Security Buzz, converging a wide range of skills and viewpoints to present a unified, engaging voice in the information security realm. This entity isn't tied to a single individual; instead, it's a dynamic embodiment of a team diligently working behind the scenes to keep you updated and secure. When you read a post from ISBuzz Team, you're receiving the most relevant and actionable insights, curated and crafted by professionals tuned in to the pulse of the cybersecurity world. ISBuzz Team - your reliable compass in the fast-evolving landscape of information security
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.