Any software problem at the pump can boost payment fraud

Register now

Security glitches in almost any area of an enterprise's IT system can create downstream risk payment fraud.

When an advisory by the Cybersecurity and Infrastructure Security Agency (CISA) gave the Orpak SiteOmat software a vulnerability severity rating of 9.8 out of 10, it was not without due cause.

The software was found to have the following flaws: code injection and buffer overflow vulnerabilities, the use of hard-coded credentials, cross-site scripting, SQL injection, missing encryption of sensitive data, code injection and stack-based buffer overflow.
All of these flaws require very little skill to exploit. The Orpak SiteOmat software tracks the temperature, amount and pressure of fuel stored in a gas station’s tanks, sets the price of gas and even processes card payments.

If a hacker were to compromise any of the software’s vulnerabilities, he/she would have been able to wreak havoc by implementing ransomware that could lock down the systems entirely, apply arbitrary remote code execution that results in DDoS conditions and unauthorized access to view and edit monitoring, configuration and payment information, or even administering formjacking malware that could stealthily siphon off payment card information from internet connected systems.

Cyberattacks are the fifth most likely risk faced by global organizations, according to the World Economic Forum’s Global Risks Report 2019.

Insecure software development and insufficient use of security best practices creates significant risk for both consumers and commercial organizations alike. Orpak must hold itself accountable for the comprehensive validation of its SiteOmat software in the future to ensure it can withstand a cyberattack. Continuous validation will also allow Orpak to easily identify regressions and track improvements over time, a necessity because the researcher that discovered the flaws in SiteOmat actually reported similar vulnerabilities in the software last year as well.

Having significant vulnerabilities discovered in a company’s software for two years in a row can cause significant damage to any brand’s reputation. The basic security protection failures that were discovered could result in massive losses for the gas stations that implemented Orpak’s software.

However, Orpak can still redeem itself by investing in security validation through automated testing to detect security flaws and gaps before adversaries find them. Data is gold in our era, and it is time that organizations take a more proactive approach to protecting it.

For reprint and licensing requests for this article, click here.
Payment fraud Payment processing Retailers ISO and agent