14 DAY TRIAL // Verifone, the largest maker of credit card terminals in the United States, is investigating a breach of its internal computer networks which seems to have been limited to its corporate network without actually impacting the payment services network.
According to Krebs on Security blog, Verifone sent an email to all company staff and contractors, urging them to change all company passwords within 24 hours. The email memo notes they are investigating an IT control matter and that, as a precaution, immediate steps were taken to improve controls.
According to the aforementioned memo, employees would no longer be allowed to install software of any kind on company computers and laptops, indicating that the breach might have taken place via a downloaded malware of some kind.
"In January 2017, Verifone’s information security team saw evidence of a limited cyber intrusion into our corporate network. Our payment services network was not impacted. We immediately began work to determine the type of information targeted and executed appropriate measures in response. We believe today that due to our immediate response, the potential for misuse of information is limited," a Verifone spokesperson said on the matter.
The huge potential of the breach
It seems that Verifone was tipped off by a notification received from credit card companies Visa and Mastercard days before sending out the memo back in January.
The blog quotes unnamed sources that indicate the intrusion impacted a customer support unit in Florida which provides payment solutions specifically to gas and petrol stations. The list of products it offers includes pay-at-the-pump credit card processing, cash registers inside the fuel station store and more.
The same sources claim that Verifone has evidence that a Russian hacking group known for its attacks against payment providers had been the one behind the breach. The problem is that this particular group of intruders might have been inside Verifone's network since mid 2016.
Given the nature of the company and the time these hackers spent within the network, the situation may not be as pink as Verifone would like us to believe. The fact that it hasn't come forward to speak about the breach until now indicates an effort to save face.
"It sounds like they were after point-of-sale software information, whether the POS designs, the source code, or signing keys. Also, the company says it believes it stopped the breach in time, and that usually means they don’t know if they did. The bottom line is it’s very serious when the Verifone system gets breached," Avivah Litan, financial fraud analyst for Gartner Inc told Krebs. He notes that the worst thing is the attackers have information on the point-of-sale systems that lets them put backdoors on the devices that can record, store, and transmit stolen customer card data.