The recent Verifone breach reminds us the retail and payments industries are suffering too much pain due to ongoing attacks to obtain data through man-in-the-middle attacks, malware installation, social engineering and other nefarious activities.
Despite the payment networks like Mastercard and Visa saying this incident is a separate Verifone issue, there is only one reason to breach a payment provider: to obtain customer data.
How often, and with what certainty, can we link these attacks to the lazy use of outmoded, insecure passwords?
Before we answer that question, let’s review what we know.
Information is still under review; however, the suspected group of attackers seems to have a motive of attacking fueling stations since gas pumps have the least security of all credit card terminals.
EMV technology, chip and signature, and chip and PIN, is being implemented far and wide in other retail settings. Gas pumps, which do not use EMV, are the final frontier for attacks where EMV might mitigate.
Verifone's password guidelines as reported in the Krebs article are too restrictive and result in weak passwords. They also fail to meet the draft NIST guidelines that were published as a patch along our widening path to password elimination entirely.
The revelation that Verifone’s weak passwords also scheme points to at least the possibility that an attack of this kind may reoccur. It would be unsurprising to discover, once all evidence is made public, that this and a possible future breach’s initial point of entry into the network was an employee workstation.
The intrusion has been there for half a year. A wealth of data on how Verifone builds and operates their payment systems may have been exfiltrated.
This could aid in the production of malware or even hardware devices for attacking terminals and skimming bankcard information. Compounded by the ongoing lack of EMV in use and, worst of all, the use of passwords for the time being, the outlook on what might come next is pessimistic.