Wednesday, August 10, 2016

Krebs On Security: Data Breach At Oracle’s MICROS Point-of-Sale Division

Data Breach At Oracle’s MICROS Point-of-Sale Division
Brian Krebs, August 8, 2016

A Russian organized cybercrime group known for hacking into banks and retailers appears to have breached hundreds of computer systems at software giant Oracle Corp., KrebsOnSecurity has learned. More alarmingly, the attackers have compromised a customer support portal for companies using Oracle’s MICROS point-of-sale credit card payment systems.
MICROS is among the top three point-of-sale vendors globally. Oracle’s MICROS division sells point-of-sale systems used at more than 330,000 cash registers worldwide.
Oracle’s own statement seems to suggest the company is concerned that compromised credentials for customer accounts at the MICROS support portal could be used to remotely administer — and, more importantly, to upload card-stealing malware to — some customer point-of-sale systems. The term “on-premise” refers to POS devices that are physically connected to cash registers at MICROS customer stores.

Avivah Litan, a fraud analyst at Gartner Inc., says ... "I’d say there’s a big chance that the hackers in this case found a way to get remote access" to MICROS customers' on-premises point-of-sale devices.

This is really ugly. If criminals have managed to use the manufacturer's maintenance access to remotely install card-skimming software into point of sale terminals worldwide, then nothing is safe.

All the more reason to use a merchant's chip reader or Apple Pay wherever possible. These technologies work with device-specific account numbers, one-time pads and encryption to make it difficult (if not impossible) for a captured transaction to be used to create a fake card or initiate new transactions. (I am aware that there are many more virtual-card technologies in use but I don't know enough about them to have an opinion about their security.)

No comments: