One of the world’s largest credit and debit card processors is in the middle of assessing the scope of a newly announced breach. Verifone supplies millions of point of sale devices and transmits large amounts of payment card data ever second. At this point it is unclear to what degree data was lost although they are sure their internal network was compromised. The company states that there processing business was not affected. I hope this is the case, we shall see.
It appears that a weak Password policy and uncontrolled administrator rights may have been exploited. According to Krebsonsecurity.com:
“An internal memo sent Jan. 23, 2017 by Verifone’s chief information officer to all staff and contractors, telling them to change their passwords. The memo also states that Verifone employees would no longer be able to install software at will, apparently something everyone at the company could do prior to this notice.” - Seriously, they could do this before? This is poor security at best.
Krebs also reports “Asked about the breach reports, a Verifone spokesman said the company saw evidence in January 2017 of an intrusion in a “limited portion” of its internal network, but that the breach never impacted its payment services network.”
At this point the origin of the hacking seems to be traced to a Russian based hacking group.
For now, you should do nothing. Let’s see if further research supports that assertion that no processing machines were affected. If this is the case, you should be okay. If further reporting shows machines were affected then we will wait to see how Verifone patches this issue.
F1 Solutions
Security Team
