The self-service kiosks of Avanti Markets were recently hacked with criminals stealing customer information which included credit card numbers, the first and last name of the customers along with certain biometric information.
Avanti Markets
Avanti Markets is one of the largest suppliers of self-service kiosks that are used by corporate employees to pay for snacks and victuals at the office’s breakroom. The machines use customer’s credit card and fingerprints to authorize the transactions.
Breach results in compromising a million accounts
According to Avanti Markets., approximately 1.6 million customers became the victims of the breach. Also, Avanti Markets stated in a blog post that the breach took place on the 4th of July, but the company learned about the incident only recently this week. Subsequently, a notice of data breach was published on its website.
The hackers have apparently injected a malware in the network of the company’s system. Avanti Markets stated that not all of the machines are configured in the same way, and therefore, some of the customers’ accounts might have been breached while others may not have been affected at all.
Service shut down as a result of the breach
Avanti Markets decided to turn off all of their networks after the breach and stated that it is working with experts to fix the problem. Essentially, it said that steps are being taken to minimize the risk of further data breaches.
However, according to a report, half of the kiosks do not use P2Pe, which is short for point-to-point encryption. It is a method to encrypt customer information so that incidents like these can be avoided.
PoSeidon
Last Thursday, a law firm reported that the kiosk in its premises was not accepting credit cards. A researcher from RiskAnalytics, Noah Dunker, subsequently wrote about the incident on his blog on the 4th of July.
He stated the machine had been breached by a malware called PoSeidon which was transferring credit card information from the machine to the attackers. PoSeidon is a name for a family of malicious computer programs targeting Computerized Point-of-Sale systems.
Also, the blog mentioned that along with the primary vendor, small local vendors who were supplying the technology were also affected by the malware. However, the names of the vendors were not revealed at the time.
Later, a researcher from KrebsOnSecurity asked Dunker whether the primary vendor he mentioned was Avanti. Dunker confirmed and told KrebsOnSecurity that the vendor he was talking about was actually Avanti Markets and that the machine in the law firm was using an SSL encryption certificate to send out critical information.
The issue with the network technology
Dunker pointed out that the incident shows how vulnerable a network such as this one can be. He stated that since there are a number of systems involved, fixing or securing the overall network is not easy.
Moreover, he mentioned that such devices are usually managed and controlled by third-parties which make finding vulnerabilities ever more difficult, let alone fixing them.
Is biometrics that safe?
In this modern day and age, there are increasing amounts of devices with biometric verification systems that scan a person’s face, eyes, or fingerprints to grant access to protected accounts.
In the incident mentioned above, hackers were able to steal biometric data as well implying that such systems are not that safe.
In fact, a couple of months ago, the biometric verification system used by Samsung which scans a user’s iris to grant access was easily broken into with just a high-definition photograph and contact lenses.
The lens was placed on the photographic eye of a real person and put in front of Samsung’s camera. Quite surprisingly, the phone unlocked granting access to the researcher.
Whether such biometric systems are safe is moot. Nevertheless, devices using these systems need to ensure even greater security since unlike credit cards or passwords, such information cannot be changed or renewed instantly.