Stories
Slash Boxes
Comments

SoylentNews is people

posted by chromas on Sunday December 15 2019, @10:57PM   Printer-friendly

VISA Warns of Ongoing Cyber Attacks on Gas Pump PoS Systems

The point-of-sale (POS) systems of North American fuel dispenser merchants are under an increased and ongoing threat of being targeted by an attack coordinated by cybercrime groups according to a security alert published by VISA.

Three attacks that targeted organizations in this type of attack with the end goal of scraping payment card data were observed during the summer of 2019, according to the Visa Payment Fraud Disruption (PFD).

[...] PFD says that in the first incident it identified, unknown attackers were able to compromise their target using a phishing email that allowed them to infect one of the systems on the network with a Remote Access Trojan (RAT).

This provided them with direct network access, making it possible to obtain credentials with enough permissions to move laterally throughout the network and compromise the company's POS system as "there was also a lack of network segmentation between the Cardholder Data Environment (CDE) and corporate network."

The last stage of the attack saw the actors deploying a RAM scraper that helped them collect and exfiltrate customer payment card data.

During the second and third incidents, PFD states that the threat actors used malicious tools and TTPs (Tactics, Techniques and Procedures) attributable to the financially-motivated FIN8 cybercrime group.

[...] "It is important to note that this attack vector differs significantly from skimming at fuel pumps, as the targeting of POS systems requires the threat actors to access the merchant's internal network, and takes more technical prowess than skimming attacks," VISA PFD says.

"Fuel dispenser merchants should take note of this activity and deploy devices that support chip wherever possible, as this will significantly lower the likelihood of these attacks."

So unfortunately this is really something that you can't do much about.


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 2) by Snotnose on Sunday December 15 2019, @11:34PM

    by Snotnose (1623) on Sunday December 15 2019, @11:34PM (#932538)

    For the last 2-3 years, or whenever this first showed up on the news, every place I've bought gas from had a sticky tape with a sign "if this tape is broken and you buy gas here you deserve what you get".

    Maybe not in so many words, but still....

    --
    Why shouldn't we judge a book by it's cover? It's got the author, title, and a summary of what the book's about.
  • (Score: 0) by Anonymous Coward on Sunday December 15 2019, @11:54PM (2 children)

    by Anonymous Coward on Sunday December 15 2019, @11:54PM (#932544)

    They just cruise around on free electricity, laughing at you chumps who still need to use credit cards.

    • (Score: 0) by Anonymous Coward on Sunday December 15 2019, @11:59PM (1 child)

      by Anonymous Coward on Sunday December 15 2019, @11:59PM (#932547)

      ...while Tesla tracks their every move.

      • (Score: 4, Interesting) by black6host on Monday December 16 2019, @12:28AM

        by black6host (3827) on Monday December 16 2019, @12:28AM (#932560) Journal

        It's only a matter of time before all the car insurance companies track you all the time anyway so what the hell. https://www.marketwatch.com/story/should-you-let-your-car-insurer-monitor-you-2019-03-27 [marketwatch.com] and that article shows a bit of bias towards the practice. At least too much for me. At least it's not mandatory but more and more insurers are offering that crap and they track you using your phone. Which most people have, it's not like they have to install some hardware crap like they used to. Soon, it'll be always on...

  • (Score: 1) by anubi on Monday December 16 2019, @12:03AM (7 children)

    by anubi (2828) on Monday December 16 2019, @12:03AM (#932550) Journal

    I thought the skimming was one of the drivers behind these new cards that have microchips embedded in them and require physical contact for a couple of seconds to register.

    --
    "Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
    • (Score: 2) by EJ on Monday December 16 2019, @01:26AM

      by EJ (2452) on Monday December 16 2019, @01:26AM (#932595)

      Did you not even bother to read the summary???

    • (Score: 0) by Anonymous Coward on Monday December 16 2019, @01:39AM (3 children)

      by Anonymous Coward on Monday December 16 2019, @01:39AM (#932607)

      The chip bit cannot be cloned... BUT, I read that the info on the chip, read by a shimmer, is used to write a magstripe card which can then be used to make fraudulent charges.

      • (Score: 2) by MostCynical on Monday December 16 2019, @02:46AM

        by MostCynical (2589) on Monday December 16 2019, @02:46AM (#932655) Journal

        Number, expiry date and ccv are all you need to make purchases by phone or online.

        These details are all on the POS RAM, for at least an auditable amount of time
        They *aren't* supposed to be connected to corporate networks..

        --
        "I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
      • (Score: 2) by DannyB on Monday December 16 2019, @03:44PM (1 child)

        by DannyB (5839) Subscriber Badge on Monday December 16 2019, @03:44PM (#932871) Journal

        There is no "info" to read from the chip on a CC. The chip is not a clone of the mag stripe. The chip has an active role in the transaction.

        The "chip" is a microprocessor with Java. When inserted into POS terminal it is powered up and does one job. It has a secret private key that was never recorded anywhere nor known to anyone. While the card is inserted into the POS terminal, the bank and the chip on your card negotiate an exchange where your card digitally signs the transaction. It matches the public key for your card which the bank has. Therefore only your card's private key could have signed it. The signed information includes information about the terminal, and the transaction that YOU approved on that terminal.

        It might be possible to recover that key by carefully physically destroying the chip. But it is designed to resist that.

        My information might be out of date or incorrect. So I'd be happy if anyone has something informative to add to this.

        --
        People today are educated enough to repeat what they are taught but not to question what they are taught.
        • (Score: 0) by Anonymous Coward on Tuesday December 17 2019, @01:57AM

          by Anonymous Coward on Tuesday December 17 2019, @01:57AM (#933111)

          https://krebsonsecurity.com/2017/01/atm-shimmers-target-chip-based-cards/ [krebsonsecurity.com]

          Data collected by shimmers cannot be used to fabricate a chip-based card, but it could be used to clone a magnetic stripe card. Although the data that is typically stored on a card’s magnetic stripe is replicated inside the chip on chip-enabled cards, the chip contains an additional security components not found on a magnetic stripe.

    • (Score: 0) by Anonymous Coward on Monday December 16 2019, @03:41PM (1 child)

      by Anonymous Coward on Monday December 16 2019, @03:41PM (#932870)

      Yes, but I haven't seen a chip reading pump POS setup yet. They all still read magstripes.

      • (Score: 2) by DannyB on Monday December 16 2019, @03:46PM

        by DannyB (5839) Subscriber Badge on Monday December 16 2019, @03:46PM (#932872) Journal

        That is what makes these a big fat target.

        It will be a big undertaking1 to replace all of the POS terminals in all fuel pumps with chip enabled devices.

        1which can only be done by an undertaker

        --
        People today are educated enough to repeat what they are taught but not to question what they are taught.
  • (Score: 5, Insightful) by Thexalon on Monday December 16 2019, @12:17AM (6 children)

    by Thexalon (636) on Monday December 16 2019, @12:17AM (#932556)

    "POS" is a perfect initialism for these things, because in addition to being a "point-of-sale" it also is a "piece-of-shit".

    And I'm not surprised the companies in question skimped on useful security measures like network segmentation: If a techie goes to management and asks for money or time to fix a security problem, the answer is almost invariably "no", because somebody in sales or marketing wants a new whizbang thingamabob that they claim will boost next quarter's sales, whereas the security problem is only a problem for the business if a large percentage of customers both find out about it and change their behavior significantly as a result. Which is also why any business who experiences a major security breach treats the problem as a public relations problem, not a technical problem.

    --
    The only thing that stops a bad guy with a compiler is a good guy with a compiler.
    • (Score: 2) by PiMuNu on Monday December 16 2019, @12:19PM (5 children)

      by PiMuNu (3823) on Monday December 16 2019, @12:19PM (#932810)

      Why does the vendor hold customer credit card info at all? Why does the PoS device not contact the bank and bank holds the transaction details?

      • (Score: 2) by Thexalon on Monday December 16 2019, @01:15PM (4 children)

        by Thexalon (636) on Monday December 16 2019, @01:15PM (#932821)

        These systems end up having to store the CC info in memory briefly: They can't do things like use Javascript to send the CC info from the browser directly to the CC processor without going through the company's systems, because there's no system not controlled by the vendor for the customer to interact with. And it's going from RAM directly to the bad guys.

        --
        The only thing that stops a bad guy with a compiler is a good guy with a compiler.
        • (Score: 2) by PiMuNu on Monday December 16 2019, @01:52PM (3 children)

          by PiMuNu (3823) on Monday December 16 2019, @01:52PM (#932835)

          I agree that the PoS system has to hold the CC info in memory. I assume that one would lock the PoS system down so that it is highly challenging to hack over the wire. Reading TFS, there is this jargon "Cardholder Data Environment"; it sounds like the credit card reader is cacheing on some (local) server, which has been cracked, and then sent down the wire to the bank. Perhaps a local cache to deal with e.g. network downtime?

          Nb I cant read TFA because of GDPR non-compliance (does not let me reject cookies).

          • (Score: 3, Interesting) by DannyB on Monday December 16 2019, @04:04PM (2 children)

            by DannyB (5839) Subscriber Badge on Monday December 16 2019, @04:04PM (#932878) Journal

            If you've ever gone through the PCI compliance process to build a system that handles credit card payments, or even studied how to go through that process, one of the first acronyms you learn is "Cardholder Data Environment". This is the boundary of anything that holds cardholder information, or card information. That boundary is what they are trying to protect.

            Given how high the bar is for PCI compliance, I am surprised that any systems are even allowed to handle CC info without being on a dedicated network, isolated VMs, etc. The costs of PCI compliance are also quite high. There is the compliance testing. They'll try to hack your systems. Your system has to pass various technical tests. They want everything documented. Who has access to these systems and by what means. You can't just be able to walk in to the server and physically manipulate it.

            This is why I was so puzzled how the Target breach a few years ago could even happen. And why fuel pumps are STILL allowed to NOT implement the CHIP requirements and get rid of using mag stripes.

            --
            People today are educated enough to repeat what they are taught but not to question what they are taught.
            • (Score: 3, Interesting) by Thexalon on Monday December 16 2019, @04:48PM

              by Thexalon (636) on Monday December 16 2019, @04:48PM (#932901)

              Given how high the bar is for PCI compliance, I am surprised that any systems are even allowed to handle CC info without being on a dedicated network, isolated VMs, etc. The costs of PCI compliance are also quite high. There is the compliance testing. They'll try to hack your systems. Your system has to pass various technical tests. They want everything documented. Who has access to these systems and by what means. You can't just be able to walk in to the server and physically manipulate it.

              For larger firms, yes to all of this: There's a whole bunch of QA, pen-testing, and verification.

              For smaller concerns, at least the last time I went through it, they have a 2-page form they ask you to fill out swearing up and down that you'll never do anything bad with customer CC information and never have done anything bad with customer CC information. I know of at least one firm where they filled out the form and then stored the CVV2 in plaintext in their database, and when I told them they were not in compliance and I could fix it without much difficulty (proper use of the tools provided by your payment gateway makes compliance pretty easy) they flat-out refused. I began immediately job-hunting at that point and quit not that long after.

              --
              The only thing that stops a bad guy with a compiler is a good guy with a compiler.
            • (Score: 1, Interesting) by Anonymous Coward on Tuesday December 17 2019, @02:18AM

              by Anonymous Coward on Tuesday December 17 2019, @02:18AM (#933117)

              When you control a good portion of the market you make the rules.

              https://www.gilbarco.com/us/ [gilbarco.com]

(1)