Payments Giant Verifone Investigating Breach (krebsonsecurity.com) 8
Verifone is investigating a breach of its internal networks that appears to have impacted a number of companies running its point-of-sale card terminals, security reporter Brian Krebs reports. From the report: Verifone says the extent of the breach was limited to its corporate network and that its payment services network was not impacted. San Jose, Calif.-based Verifone is the largest maker of credit card terminals used in the United States. It sells point-of-sale terminals and services to support the swiping and processing of credit and debit card payments at a variety of businesses, including retailers, taxis, and fuel stations. On Jan. 23, 2017, Verifone sent an "urgent" email to all company staff and contractors, warning they had 24 hours to change all company passwords.
Can't wait for full analysis (Score:5, Interesting)
All breaches start out being reported small, but tend to reveal much more. It's completely possible that this was an isolated breach, but as a security expert I'll wait for the full release and report. If they were in, they may have much more access than the initial report claims. Perhaps not individual credit card data, but bigger sets of data belonging to vendors.
Even Verifone can't be bothered with security (Score:3)
I'm convinced that big companies just pay for cyberattack insurance and call it a day, rather than actually improve their security. Everywhere I have ever worked, the internal network has been treated as completely open. If you can get your machine on an open network port or joined to wireless, you're in and have full access to everything. It's cheaper to give out free credit monitoring for a year than it is to re-architect the network so that nothing is trusted by default.
The root cause analysis will be interesting -- could be anything from an inside job to sloppy contractors leaving a hole open to just poor patching discipline. I wonder how secure places like Visa or American Express are, given that Verifone, the manufacturer of payment processing devices, can't be bothered with security.
Re:Even Verifone can't be bothered with security (Score:4, Interesting)
Re: (Score:2)
Well, if they properly set up the network, it's likely the payment network is secure and isolated from the corporate network. The corporate network is a bit more "open" to allow employees to do their jobs and engineering and all that, and it's likely that makes it a good target for breaches - because if there's any information on vulnerabilities on the payment network, or their payment devices, it would be on the corporate network.
So if they do this right, no customer data was breached (other than perhaps t