On March 7 Brian Krebs broke the news that Verifone, one of the largest card terminal manufacturers, has suffered a breach. The next day Verifone told the world that the breach was no big deal. No big deal right? Probably not and here is my rationale.
For those of you unfamiliar with Verifone, Verifone is not only a manufacturer of points of interaction (POI, aka card/transaction terminals), it also provides transaction processing services to merchants. As a result, any breach of such an organization puts a lot of the security of the card processing ecosystem at tremendous risk.
Extent Of The Breach
Here is what Verifone has told us about the extent of the breach.
“According to third-party forensic teams, this cyber attempt was limited to approximately two dozen U.S. gas station convenience stores and occurred over a short time period. No other merchants were targeted and the integrity of our payment networks and Verifone’s payment terminals remained secure and fully operational.
Verifone’s information security team identified evidence of this very limited cyber intrusion into our corporate network in January 2017, and we proactively notified Visa, MasterCard and other card schemes.
In concert with our partners, Verifone immediately implemented additional security controls across its corporate networks and began work to determine the type of information that may have been targeted.
It is also worth noting that there have been no adverse events or misuse of any data resulting from this incident. Verifone, partner agencies, and law enforcement remain vigilant and will continue to monitor for this.
We believe that our immediate response and coordination with partners and agencies has made the potential for misuse of information extremely limited.”
The first thing that any forensic examiner will tell you is that determining the extent of a breach is not a trivial process. It takes time. Most times, a lot of time. The reason is that attackers can be very stealthy in how they cover their tracks by wiping logs, leave behind malware/backdoors, and other techniques to obscure what they did and how they did it. Even though Verifone took almost two months to acknowledge the breach and tell everyone that things are fine, all may not necessarily be well within Verifone. But only time will tell if that is true.
The troubling thing about Verifone’s statement and likely demanded by their lawyers is the wording at the very end of their statement as they start their last sentence – “We believe”. Legalese that will give them an out should their forensic teams find more issues or issues turn up later.
“Asked about the breach reports, a Verifone spokesman said the company saw evidence in January 2017 of an intrusion in a “limited portion” of its internal network, but that the breach never impacted its payment services network.”
This was followed up by an update by Mr. Krebs after his original post. Verifone stated:
“According to the forensic information to-date, the cyber attempt was limited to controllers at approximately two dozen gas stations, and occurred over a short time frame. We believe that no other merchants were targeted and the integrity of our networks and merchants’ payment terminals remain secure and fully operational.”
Hold on a moment. What is a “short time frame”? Oh, and by the way, the attackers had access to controllers and around two dozen gas stations? And then there is that “According to the forensic information to-date” comment. That statement would seem to imply that Verifone is not necessary complete with their forensic examination.
So did Verifone or someone else find this breach?
“But a source with knowledge of the matter told KrebsOnSecurity.com that the employee alert Verifone sent out on Jan, 23, 2017 was in response to a notification that Verifone received from the credit card companies Visa and Mastercard just days earlier in January.”
So like most organizations, they were notified by a third party that they likely had been breached. In this case, two card brands recognized fraudulent transactions that came from merchants serviced by Verifone.
But follow that statement with this one regarding what happened once they were notified.
“Verifone’s information security team identified evidence of this very limited cyber intrusion into our corporate network in January 2017 …”
My concern with this and the prior statement is that it takes a while for the card brands to recognize fraud. I have seen it take brands as little as a month to as much as two years for the brands to notify a merchant or service provider that they think there has been a breach. The reason is that it depends on the extent of the breach (i.e., small versus large merchants, small versus large service provider(s), number of transactions/cards involved), how quickly the cards are used for committing fraud, how quickly those fraudulent transactions are reported back to banks by their customers, how quickly the brands determine a pattern and then that pattern traces back to a likely source or sources. As a result, I am very suspect as to how long the intruders were in their network and the likelihood that the intrusion was truly as “limited” as Verifone is leading us to believe.
The bottom line in all of this, in my very humble opinion, is that this could just be the tip of the iceberg and this breach could be more extensive than Verifone knows and could have larger ramifications.
Why You Should Care
Given that I suspect that the attackers were in Verifone’s network for a while, I would assume that not just Verifone’s service provider operation was targeted and compromised.
The first clue to this suspicion is that Visa and MasterCard were the ones that notified Verifone that something was going on. As I stated earlier, the brands take a while to determine a breach which likely means that the attackers were inside Verifone for more than just a short period of time. In addition, it is rare that PANs collected in a breach are used immediately after they are obtained. The reason is that there are bigger rewards if they are not used immediately.
The next piece clue in our puzzle is this statement from the Krebs post.
“The source said his employer shared with the card brands evidence that a Russian hacking group known for targeting payment providers and hospitality firms had compromised at least a portion of Verifone’s internal network.”
If this is accurate then it is highly likely that not just card information was gathered. What also was likely gathered was source code to things like card terminal firmware and software such as Verishield, Verifone’s end-to-end encryption (E2EE) solution. Any attackers that are focused on targeting payment providers would know that if they were inside of an organization that provides such solutions as Verifone that they should get their software as well as cardholder data (CHD). If you have the ability to exfiltrate CHD, why not exfiltrate other useful information such as source code, certificates, encryption keys and other sensitive information.
The only good news in this regard is that while a lot of transaction gateways and processors use Verishield, they all have their own certificates and encryption keys. So the attackers would have only gotten certificates and keys for the merchants processing through Verifone. Since Verifone is an encryption endpoint, it is possible that the attackers did not get the certificates or encryption keys because they would not necessarily need them to get at the clear text CHD. However one should ever assume that is the case.
The net of all of this is that if you have Verifone terminals and/or Verishield or other Verifone applications, you should probably be doing a lot more monitoring of that hardware and software since there is no reason to believe that it has not been compromised.
It will be interesting as time goes on to see if this is the end of the discussion or if more will come out on the Verifone breach.