Law enforcement officers notified Nextep that some of its customer locations have been compromised in a potentially wide-ranging credit card breach, according to security blogger Brian Krebs.
Security industry commentators have said the breach could have a far-ranging impact on consumers, considering Nextep’s diverse customer base.
Customers of the POS systems firm include restaurants, corporate cafeterias, casinos, airports and other food service venues.
After being alerted about the breaches, Nextep launched an investigation in co-operation with law enforcement and data security experts, company president Tommy Woycik said in a statement.
He said the investigation was aimed at determining the root cause of the compromise and remediating the issue.
Woycik said the investigation was ongoing, and although the extent of the breach is not known, the company is confident that not all customers are affected.
According to Krebs, Nextep is the fourth POS supplier in the US to have been compromised in the past year. In all other cases, hundreds of customers who used the compromised systems were affected.
Historically, attackers have used stolen credentials to gain remote access to the POS systems and install malware designed to steal payment card details.
Read more about POS security
- Organisations must confront threats like Backoff malware to their point-of-sale systems
- Attacks on POS systems among Verisign’s 10 predictions for biggest cyber security threats in 2015
- Credit card data theft from the Mandarin Oriental hotel group highlights the risk of legacy point-of-sale systems
- The ongoing plague of POS security breaches is a reminder that endpoint security policies should always be a work in progress
This data can be used to create cloned payment cards that in turn can be used to withdraw cash or carry out fraud online.
The increasing use of malware on POS systems highlights the need to update systems and security, according to vice-president of advanced security and governance at Proofpoint, Kevin Epstein.
“The fact so many of the attacks that placed malware on POS terminals were initiated by a longline phishing attack, that then compromised server and network infrastructure, highlights the desperate need to upgrade legacy perimeter gateways with additional modern layered security, targeted attack protection and threat response systems,” he said.
Like many other security suppliers, Proofpoint is advocating a layering security strategy.
“To minimise risk, defences must include targeted attack protection to defend against emailed links pointing to sites, application layer firewalls to defend against malicious traffic, and automated incident threat response to detect and block malware command and control traffic, among other security policies and systems,” said Epstein.
He said the priority for Nextep is to notify impacted consumers and offer them a credit monitoring service so any potential fraudulent activity on their accounts is spotted immediately.
“A cyber attack’s most expensive aspect isn't clean-up – it's brand damage. Restoring consumer confidence is paramount. To that end, subsequent disclosure of the attack source and implementation of new, modern protective systems to prevent recurrence are also good steps to take, quickly," Epstein said.
EMV a long-term solution
Imperva security researcher Sagie Dulce said POS systems suppliers are an attractive target to cyber criminals because they usually have some method of connecting with POS devices for troubleshooting.
“It is a difficult job to secure POS devices – a long-term solution should be using the Europay, MasterCard and Visa [EMV] security standard on payment cards,” he said.
EMV is a global standard for the inter-operation of integrated circuit cards, known as chip and pin in the UK.
While EMV is not hack-proof, it provides more security than the magnetic stripe-based system, with a unique identifier for each transaction and user verification through a pin code.
Although widely adopted in Europe, where it has been credited with significantly reducing card-present fraud, EMV adoption in the US has been relatively slow.
In October 2014, US president Barack Obama issued an executive order aimed at speeding up the adoption of cards that meet the EMV standard.
With more than 100 million US citizens falling victim to data breaches in the past year, and millions suffering from credit card fraud and identity crimes, there is a need to move to stronger, more secure technologies that better secure transactions, the White House said in a statement.