Point of Sale terminals are becoming an increasingly common target for hackers, and following the well-reported attack on the major US retailer, Target, early this year, another such exploit has come to light. What is interesting about this one, however, is that the systems vendor involved, Vancouver, Washington-based Information Systems and Supplies (IS&S) has been remarkably open about what it has discovered a noble act that should help other businesses avoid the same problems.
First reported in Bank Info Security, the target was POS terminals in restaurants using IS&S terminals in the Northwest USA between February 28th and April 18th this year. The attack involved a remote-access attack on some of its terminals, which may have resulted in the exposure of payment card transactions.
IS&S is an independent reseller of POS products sold by software vendor Future POS, though not all IS&S customers are at risk of being hit by the breach.
The report highlights a letter sent by IS&S president Thomas Potter to restaurants that may have been impacted.
"We recently discovered that our LogMeIn account was breached on February 28, March 5 and April 18, 2014," Potter states in the letter. "We have reason to believe that the data accessed could include credit card information from any cards used by your customers between these dates."
It is suspected that remote access credentials were compromised by a phishing attack, and IS&S is trying to be as proactive about advising its customers as possible. The report quotes Potter as stating that no customers have, to his knowledge, suffered any data compromises as a result of the breach. "We tried to get out ahead of this thing and do what was right by our customers," he is quoted as saying.
It is not known how many restaurants were notified or how many card transactions may have been impacted.
IS&S has changed all of its LogMeIn credentials and now requires a secondary unique password for access to the system and is scanning its POS systems for malware and other intrusions.
While breach alerts from POS vendors are uncommon, the steps taken by IS&S to inform its merchant customers of concerns for risk is both unusual to be lauded, as Lancope’s director of security research, Tom Cross, observed.
"Attackers have demonstrated that they can build a successful criminal enterprise by attacking point of sale systems, and we expect to continue to hear about incidents like this. It is helpful that these victims have come forward with technical details and timelines of their attack so that other organisations can understand what they may be facing and have pointers that they can use to begin investigations. In this case, Internet based remote access software seems to have provided attackers with access to point of sale systems. Allowing remote administration of point of sale systems from the Internet should be discouraged, as this provides a route for attackers to gain access."