Restaurants warned of malware attack via internet of things

All it takes is one cup of coffee for everything to go wrong.

A hacker can infect multiple point-of-sale terminals with malware by entering through a "smart" coffee vending machine at a grocery store or restaurant. And the store owners are largely unaware of the risk.

This is particularly troublesome in the years following the 2013 Target data breach, in which hackers compromised an HVAC vendor's credentials to gain access to millions of card credentials.

"Last year, we got involved in a case in which 136 grocery retail sites were infected by malware after the bad guys made entry through the coffee machine," said Tom Arnold, principal and vice president of San Jose-based Payment Software Company, a unit of cybersecurity consulting firm NCC Group

Chart: Who can get into a POS network?

The hackers entered through the Linux kernel-based operating system in the machine in which the machine informs the vendor through its BusyBox when it is time to refill the machine.

"The problem was, the machine would accept information the other way, and a hacker's scanner picked it up and attacked the machine," Arnold said. "Once inside, it turned out this silly coffee machine was on the network of all 136 stores' retail sites, and the launch was on to compromise all of the POS terminals."

There was nothing wrong the Linux box, Arnold said. "The problem was that it was open to the outside and the retailer had no firewall to protect it, as no one cared about what sort of data was coming into the coffee machine."

Hackers can also get in through more mundane computer systems, as was the case with Planet Hollywood. Hackers were stealing card credentials and other information for 10 months before its parent company Earl Enterprises realized it was happening and informed its customers.

"There was nothing new in the attack at Planet Hollywood," Arnold said. "Malicious software infiltrated the system and began skimming the computer's memory, and part of the memory by the second or two it takes to move encrypted data from the POS to the back-office computer for decryption."

The hackers don't need a lot of time to pull 2 million customers' payment credentials out during the process. "It's only an instant, but that's an instant that is just enough time for a hacker," Arnold said.

In completing its forensics research on various breaches, PSC sees a trend in which restaurants or resorts with multiple terminals still operate with a "hub and spokes" architecture in which all terminals are connected to the same back-office server.

The back-office server is where the "payments modules wake up" to accept payments and move data to processors, Arnold said.

"Bad guys are very smart about watching for anything in which credit cards would come through the system for a short period of time," Arnold said. "Malicious software is smart enough to watch for specific PINs that the hackers want, maybe set up for stealing only certain types of cards."

In the past, restaurant or resort operators were generally worried about someone placing a skimmer on a POS or employees swiping card numbers. But those types of scams call for a person to be on site, which is a gamble cybercriminals don't need to take any longer.

Modern payments technology, particularly the advancement of internet of things communication and payment tools, have opened more doors for the technology that cybercrooks now bring to the table. Thus, the ability to find a way into a POS network through a coffee vending machine.

Application threat researchers at Seattle-based F5 Labs confirm what Arnold and other security firms are seeing unfold. After reviewing 761 breaches reported in 10 states in 2018, F5 Labs cited "code-injected form-jacking and phishing" as the top threats facing businesses.

The carelessness of people and the ease with which hackers infest PHP programming language on the internet remain two of the major weaknesses, F5 Labs stated.

It has all led to nearly 50% of breaches in the U.S. being caused by access-related problems, according to F5.

NCC Group and PSC have established what they consider key factors that retailers should embrace to help limit the breach problem. "They are five things that are very doable, but almost nobody does them," Arnold said.

The first is that restaurant owners should not let a back-office server on a PC become a place where managers and others also browse the web or respond to e-mail. "This is probably one of the biggest problems we see," Arnold noted. "They use a back office machine for unintended purposes like Facebook or Instagram, and this is where you start getting in trouble."

Weak passwords or security measures for the system in which a company's IT gets remote access to workers' computers is also a problem. The bad guys like going after these remote login setups because if they can compromise a system integrator, they can get into the entire POS network.

Most companies also fail to update antivirus or antimalware software, and are often slow or simply fail to incorporate security patches.

Finally, firewalls should be set up so that only the IT workers can get into the network. "The back office machine should only be able to talk to one other entity," Arnold said. "It protects you against all sorts of things. If the firewall stops just anyone from getting in, it could stop the bad guy."

For reprint and licensing requests for this article, click here.
Retailers Cyber security Cyber attacks Malware Internet of things
MORE FROM AMERICAN BANKER