Hold Security researchers recently determined that the same Russian hackers who breached a customer support portal for Oracle’s MICROS point-of-sale (POS) systems also hit five other POS providers, Forbes reports.
The hackers targeted weaknesses in the vendors’ servers, then attempted to steal retailers’ login information, which they could use to gain remote access to POS systems and steal credit card data.
The five companies — Cin7, ECRS, Navy Zebra, PAR Technology and Uniwell — supply more than a million POS systems worldwide, according to Forbes.
Four of the five companies acknowledged having been hacked.
Cin7 founder Danny Ing told Forbes that malware had been discovered on one of its servers. “The malicious code was designed to get passwords from the database or operating system,” he said. “We are currently investigating the extent of the breach and we will inform customers if required.”
“ECRS was able to confirm that an unknown entity was able to place malicious code on this Web portal,” an ECRS spokesperson told Forbes. “Evidence indicates that the attacker exploited a very recently discovered vulnerability in the third-party Web server software that powers this portal to place this code.”
PAR Technology told Forbes that its hacked server didn’t include any production data. “We’re looking at it as a non-material event,” company vice president of marketing Kevin Jaskolka said. “We deal with this stuff all the time, people looking at getting backdoors. We feel very good about our security standards.”
Similarly, Uniwell president Steve Mori said his company’s hacked server only held public information, though login credentials had to be changed. “Moving forward, our plan is to shut down our uniwell-americas.com Web server as we believe it will remain vulnerable,” he said.
George Rice, senior director at HPE Security-Data Security, told eSecurity Planet by email that these breaches should serve as yet another reminder of the vulnerabilities associated with point-of-sale (POS) systems. “Businesses need to regularly update POS systems for legitimate business reasons,” he said. “But the same access tools that facilitate this update process are the weak points that criminals exploit. Once they gain access, thieves may exfiltrate sensitive cardholder data by embedding data-stealing malware into the merchant POS.”
“To combat these vulnerabilities, businesses must remove all unprotected sensitive data from insecure systems like a merchant POS,” Rice added. “Format-preserving security approaches have proven to be the best way to do this while avoiding disruption to business operations. With format-preservation data security tools, businesses may encrypt and tokenize sensitive data values so that the protected value has the same formats as the original. Then insecure systems like POS, store servers and payment switches can properly perform the payment authorization process using protected data that [is] useless to criminal malware.”