PoS malware can lurk in the most unexpected of places, and some have recently been found in the payment kiosks by US-based vendor Avanti, stealing payment card information.
Those “micro markets” are effectively unmanned retail spaces where users can choose snacks and beverages and pay through a kiosk. They can be found at offices throughout the US, are usually installed, maintained and restocked by local resellers, and accept payment via payment card, cash, or a fingerprint scan.
According to a “data incident” notification published by Avanti late last week, they discovered the malware on some of the kiosks on July 4.
“Based on our investigation thus far, and although we have not yet confirmed the root cause of the intrusion, it appears the attackers utilized the malware to gain unauthorized access to customer personal information from some kiosks,” the company explained.
“At this point, it appears the malware was designed to gather certain payment card information including the cardholder’s first and last name, credit/debit card number and expiration date. In addition, users of the Market Card option may have had their names and email addresses compromised, as well as their biometric information if they used the kiosk’s biometric verification functionality.”
They made sure to note that not all kiosks were infected with the malware, and not all kiosks are configured or used the same way, so it’s possible that personal information on some kiosks might have not been stolen despite the presence of malware.
The company has called in “a nationally-recognized forensic investigation firm and outside legal counsel to assist,” and has notified the authorities of the incident.
In the meantime, they have shut down payment processing at the affected locations (only cash is accepted) and their operators are working to clean the impacted systems.
“We are in the middle of implementing an end to end encryption solution for all of our kiosks, and are working on expediting that implementation. Theft of data and similar incidents are difficult to prevent in all instances, however, we will be reviewing our systems and making improvements where we can to minimize the chances of this happening again,” they noted, and added that they will be offering free credit monitoring services to affected individuals.
In the meantime, security firm RiskAnalytics published an account of a vending kiosk compromise at the office of one of their customers. The machine turned out to be an Avanti kiosk, as Noah Dunker, director of security labs at RiskAnalytics, confirmed to Brian Krebs.
“A large nationwide vendor that provides self-service kiosks was impacted, and an update was pushed out to these kiosks in the field,” Dunker explained.
“In our analysis of the incident, it seems most likely that the larger vendor was compromised, and some or all of the kiosks maintained by local vendors were impacted. We’ve been able to identify at least two smaller vendors with local operations that have been impacted in two different cities though we are not naming any impacted vendors yet, as we’ve been unable to contact them directly.”
The malware was a variant of the PoSeidon (aka FindPOS) scraper, and its presence on the machines was noticed when RiskAnalytics’ customer’s kiosk began sending data out of the company’s network using an SSL certificate previously associated with cybercriminal activities.
UPDATE: Tuesday, July 11, 2:42 AM PT: Avanti Markets released incident FAQs and thankfully biometric data was not compromised after all:
In an abundance of caution, our original notice advised customers who used their Market Card and the kiosk’s biometric verification functionality may have had their biometric data compromised. We are happy to report that we are now able to confirm all kiosk fingerprint readers supplied by Avanti include end-to-end encryption on such biometric data and as such this biometric data would not be subject to this incident as it is encrypted.