A newly reported data breach that went undetected for six months at the world’s largest payment system manufacturer, which processes payments for Visa and Mastercard, can affect you for months or years to come.
Verifone recently confirmed that its internal network had been hacked. Although the company has downplayed the hack, it’s a serious breach that deserves more attention.
Verifone said about two dozen point-of-sale payment systems at gas stations were targeted. POS systems, like the ones hacked at Target that led to data from 40 million cards being stolen in 2013, are where you swipe or insert your debit card or credit card.
Verifone has said in a statement that this attack was contained. However, while Verifone may be downplaying this data breach, the hack gets scarier as more details come to light.
Here are the details that security analysts have pieced together about the Verifone data breach.
POS systems at about two dozen gas stations were hit. Although that may not sound serious, often hackers collect your information for future attacks. These are known as backdoor attacks. Meaning, the hackers could use your stolen information for crimes that will take place months or years from now.
Verifone was alerted to the hack, it’s believed, by credit card giants Visa and Mastercard. The attackers are from Russia and it’s likely they installed malware on a Verifone employee’s computer.
It’s thought that gas station POS systems were targeted because many of them are easier to hack than payment systems at banks, stores, and other locations. Why?
It centers on the EMV chips that are now on many debit cards and credit cards, and which are more secure than traditional cards. EMV cards are safer than cards you swipe because, instead of storing your personal information on the black strip on the back, each transaction has a unique code. It can be used only once. While banks and retailers are already supposed to have switched to EMV cards, gas stations have until October to comply. Worse, the vast majority of gas stations are behind schedule.
In late January, Verifone sent an urgent email to employees. That email, obtained by KrebsOnSecurity, instructed Verifone employees to immediately change their passwords.
Second, Verifone clamped down on employees’ computer privileges. The email read, in part: “We will be applying limitations to End-User capabilities on computers/laptops.” Instead of being allowed to download software, as many employees had been, “you will need to contact the IT service desk.”