POS Security Woes: MICROS Hacked, Researchers Claim Chip Card Flaw
A pair of developments on the cybersecurity front are giving retailers more reasons to worry—as if they didn’t have enough already. Cyberthieves have compromised a customer support portal for Oracle Corp.’s MICROS POS system, which is used by more than 330,000 retail and hospitality providers worldwide, according to a report by cybersecurity blog Krebs on Security. Oracle confirmed rumors of the attack that first began swirling in late July. The company told Krebs it “detected and addressed malicious code in certain legacy MICROS systems” and requested all MICROS customers to reset their passwords for the system’s online support portal. The attack is thought to be the work of Carbanak, the Russian cybercrime ring behind more than $1 billion in heists over the past several years, Krebs reported. The MICROS support portal was found to have communicated with a server known to be used by the cybercrime group, Krebs said. It remains unclear exactly how the attackers gained access to MICROS.
Meanwhile, payments technology company NCR claimed to have found a flaw in EMV chip technology that could enable criminals to bypass a chip’s transaction encryption. Security researchers with NCR presented their findings on Aug. 3 at the Black Hat cybersecurity conference in Las Vegas. The technique involves rewriting the magnetic strip coding on an EMV-enabled payment card to make it appear as though it isn’t equipped with a chip, enabling fraudsters to end-run around the chip’s security features and use counterfeit magstripe cards. The method is enabled bv merchants not turning on the end-to-end encryption option on their EMV terminals, the researchers said. Many POS equipment manufacturers don’t enable their systems’ encryption option by default, instead requiring merchants to select the option. The NCR researchers recommended that consumers pay with mobile payment systems like Apple Pay instead of a payment card whenever possible.
But Randy Vanderhoof, director, U.S. Payments Forum, an EMV advocacy group, said the chip bypass technique described by NCR would be detected on the back end of the transaction, even if it fools the terminal. “When the authorization request gets to the issuer, they can recognize it was altered because they know what information should be on the magnetic stripe, and will therefore reject the transaction,” said Vanderhoof, CNNMoney reported.