Stories
Slash Boxes
Comments

SoylentNews is people

posted by chromas on Sunday December 15 2019, @10:57PM   Printer-friendly

VISA Warns of Ongoing Cyber Attacks on Gas Pump PoS Systems

The point-of-sale (POS) systems of North American fuel dispenser merchants are under an increased and ongoing threat of being targeted by an attack coordinated by cybercrime groups according to a security alert published by VISA.

Three attacks that targeted organizations in this type of attack with the end goal of scraping payment card data were observed during the summer of 2019, according to the Visa Payment Fraud Disruption (PFD).

[...] PFD says that in the first incident it identified, unknown attackers were able to compromise their target using a phishing email that allowed them to infect one of the systems on the network with a Remote Access Trojan (RAT).

This provided them with direct network access, making it possible to obtain credentials with enough permissions to move laterally throughout the network and compromise the company's POS system as "there was also a lack of network segmentation between the Cardholder Data Environment (CDE) and corporate network."

The last stage of the attack saw the actors deploying a RAM scraper that helped them collect and exfiltrate customer payment card data.

During the second and third incidents, PFD states that the threat actors used malicious tools and TTPs (Tactics, Techniques and Procedures) attributable to the financially-motivated FIN8 cybercrime group.

[...] "It is important to note that this attack vector differs significantly from skimming at fuel pumps, as the targeting of POS systems requires the threat actors to access the merchant's internal network, and takes more technical prowess than skimming attacks," VISA PFD says.

"Fuel dispenser merchants should take note of this activity and deploy devices that support chip wherever possible, as this will significantly lower the likelihood of these attacks."

So unfortunately this is really something that you can't do much about.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by Thexalon on Monday December 16 2019, @01:15PM (4 children)

    by Thexalon (636) on Monday December 16 2019, @01:15PM (#932821)

    These systems end up having to store the CC info in memory briefly: They can't do things like use Javascript to send the CC info from the browser directly to the CC processor without going through the company's systems, because there's no system not controlled by the vendor for the customer to interact with. And it's going from RAM directly to the bad guys.

    --
    The only thing that stops a bad guy with a compiler is a good guy with a compiler.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 2) by PiMuNu on Monday December 16 2019, @01:52PM (3 children)

    by PiMuNu (3823) on Monday December 16 2019, @01:52PM (#932835)

    I agree that the PoS system has to hold the CC info in memory. I assume that one would lock the PoS system down so that it is highly challenging to hack over the wire. Reading TFS, there is this jargon "Cardholder Data Environment"; it sounds like the credit card reader is cacheing on some (local) server, which has been cracked, and then sent down the wire to the bank. Perhaps a local cache to deal with e.g. network downtime?

    Nb I cant read TFA because of GDPR non-compliance (does not let me reject cookies).

    • (Score: 3, Interesting) by DannyB on Monday December 16 2019, @04:04PM (2 children)

      by DannyB (5839) Subscriber Badge on Monday December 16 2019, @04:04PM (#932878) Journal

      If you've ever gone through the PCI compliance process to build a system that handles credit card payments, or even studied how to go through that process, one of the first acronyms you learn is "Cardholder Data Environment". This is the boundary of anything that holds cardholder information, or card information. That boundary is what they are trying to protect.

      Given how high the bar is for PCI compliance, I am surprised that any systems are even allowed to handle CC info without being on a dedicated network, isolated VMs, etc. The costs of PCI compliance are also quite high. There is the compliance testing. They'll try to hack your systems. Your system has to pass various technical tests. They want everything documented. Who has access to these systems and by what means. You can't just be able to walk in to the server and physically manipulate it.

      This is why I was so puzzled how the Target breach a few years ago could even happen. And why fuel pumps are STILL allowed to NOT implement the CHIP requirements and get rid of using mag stripes.

      --
      People today are educated enough to repeat what they are taught but not to question what they are taught.
      • (Score: 3, Interesting) by Thexalon on Monday December 16 2019, @04:48PM

        by Thexalon (636) on Monday December 16 2019, @04:48PM (#932901)

        Given how high the bar is for PCI compliance, I am surprised that any systems are even allowed to handle CC info without being on a dedicated network, isolated VMs, etc. The costs of PCI compliance are also quite high. There is the compliance testing. They'll try to hack your systems. Your system has to pass various technical tests. They want everything documented. Who has access to these systems and by what means. You can't just be able to walk in to the server and physically manipulate it.

        For larger firms, yes to all of this: There's a whole bunch of QA, pen-testing, and verification.

        For smaller concerns, at least the last time I went through it, they have a 2-page form they ask you to fill out swearing up and down that you'll never do anything bad with customer CC information and never have done anything bad with customer CC information. I know of at least one firm where they filled out the form and then stored the CVV2 in plaintext in their database, and when I told them they were not in compliance and I could fix it without much difficulty (proper use of the tools provided by your payment gateway makes compliance pretty easy) they flat-out refused. I began immediately job-hunting at that point and quit not that long after.

        --
        The only thing that stops a bad guy with a compiler is a good guy with a compiler.
      • (Score: 1, Interesting) by Anonymous Coward on Tuesday December 17 2019, @02:18AM

        by Anonymous Coward on Tuesday December 17 2019, @02:18AM (#933117)

        When you control a good portion of the market you make the rules.

        https://www.gilbarco.com/us/ [gilbarco.com]