Biometric Data At Risk In POS Malware Attacks

India Stack Project

Another day, another fraud attack. But this one is unique because, at least at first, it was believed that consumer biometric data may have been compromised.

On July 4, U.S. vendor Avanti detected POS (point of sale) malware in some of its “micro market” kiosks. The company published a data incident notification at the end of last week, letting customers know about the breach.

Avanti’s micro markets have made a home in employee breakrooms around the country, where employees can pop in for a quick snack or beverage and then ring themselves out at the smart kiosk, which takes cash, credit and biometric payments. It’s used by 1.6 million employees across the U.S.

Though local resellers install, maintain and stock them, the micro markets are unmanned retail spaces, so once they’re established, the ongoing costs are minimal – there are no wages to pay, no health benefits packages to provide.

Seems convenient and easy. But it also requires a lot of trust to work – from owners who allow the markets to go unsupervised, and from customers who put their sensitive payment data into the system, in many cases including their fingerprints.

Consumer trust is always among the biggest victims in a case like this. Indeed, that was industry analyst Brian Krebs’ takeaway.

“The point-of-sale industry has a fairly atrocious record of building insecure products and trying to tack on security only after the products have already gone to market,” Krebs wrote. “Given this history, it’s remarkable that some of these same vendors are now encouraging customers to entrust them with biometric data. Credit cards can be reissued, but biometric identifiers are for life.”

Krebs fears that biometric authentication is going to go mainstream before this vulnerability gets addressed. The Internet of Things will probably see a boom of biometric components, now that the capability is out there, but these Internet-connected devices were not designed with security in mind.

RiskAnalytics was the first to notice the breach when one of its customers’ kiosks began sending data out of the company’s network via an SSL certificate that was known from previous cybercriminal activity, Help Net Security reported. The malware was a strain of the PoSeidon, or FindPOS, scraper.

Avanti said in an FAQ statement that the attackers were after customers’ personal information, including credit card holder names, numbers and expiration dates.

The company said at first that users of its Market Card may have had their names and email addresses compromised, and biometric information may have been at risk as well. But the company later confirmed that all biometric data were secure.

“All kiosk fingerprint readers supplied by Avanti include end-to-end encryption on such biometric data, and as such this biometric data would not be subject to this incident as it is encrypted,” the company said Tuesday.

Avanti responded by taking immediate steps to secure its information systems, starting with changing passwords. The company is working with forensics investigators and the FBI. Payment processing has been shut down on affected kiosks as teams purge the systems of residual malware and fortify them against potential future attacks, though the kiosk are still able to accept cash payments.

Avanti said it was already in the process of implementing an end-to-end encryption solution across all of its kiosks, but it has now expedited that process as well as undertaken improvements in other parts of the system to avoid future incidents. About half of its kiosks are still waiting for point-to-point encryption to be in integrated.

Not everyone who used a payment card at an Avanti kiosk will be affected, but the company nevertheless recommended taking steps to monitor credit activity and protect their personal information. It is offering complimentary credit monitoring services to affected individuals.