Having lived and breathed security for more than 30 years now, I know that security isn’t just a retailer’s responsibility, or a vendor’s responsibility; it’s everyone’s responsibility. Even though VeriFone works closely with industry groups like PCI, W3C and ETA, just to name a few, we find that there is a still a wide information gap between those whose business it is to protect data, and those whose business it is to collect or create data.

Today we’re launching our first VeriFone Security Advisory. Our goal being to create another channel by which we hope to spread awareness around today’s threats. We know this won’t bridge the gap completely, but we hope it will help narrow it a bit.

VeriFone Security Advisory
12 August 2014

DISCLAIMER: This advisory is provided “as is” for informational purposes only. VeriFone does not provide any warranties of any kind regarding any information contained within.

While the Target breach received national headlines, according to the Identity Theft Research Center there were more than 600 reported data breaches in 2016, compromising close to 92 million individual records. Some security experts suspect the number of actual data breaches may be more than double the number publicly reported. Retail franchise merchants continue to be a favorite target of cyber criminals, due to their ECR Aloha pos help manuals (the big cash registers)—not to be confused with PIN entry devices (PED)—which may allow an intruder to access multiple locations with the same exploit. Variants of existing malware exploit kits are developed regularly and—according to a recent advisory from the U.S. Computer Emergency Readiness Team (US-CERT)—may not be immediately detected by anti-virus systems.

Security researchers indicate an increase in brute force attacks. Examples include brute force attacks on ECR POS and remote desktop protocols. In a 2014 Trustwave Security Report, one third of all POS data security breaches occur due to weak user name and passwords. This includes the use of default passwords used with common remote access software. It is not unusual to see the user name “administrator” used with passwords such as, “pos” or “password1”.