March 9, 2015

NEXTEP Systems, a Troy, Mich.-based vendor of point-of-sale solutions for restaurants, corporate cafeterias, casinos, airports and other food service venues, was recently notified by law enforcement that some of its customer locations have been compromised in a potentially wide-ranging credit card breach, KrebsOnSecurity has learned.

nextepThe acknowledgement came in response to reports by sources in the financial industry who spotted a pattern of fraud on credit cards all recently used at one of NEXTEP’S biggest customers: Zoup, a chain of some 75 soup eateries spread across the northern half of the United States and Canada.

Last week, KrebsOnSecurity reached out to Zoup after hearing from financial industry sources about fraud patterns indicating some sort of card compromise at many Zoup locations. Zoup CEO Eric Ersher referred calls to NEXTEP, saying that NEXTEP was recently informed of a security issue with its point-of-sale devices. Ersher said Zoup runs NEXTEP’s point-of-sale devices across its entire chain of stores.

In an emailed statement, NEXTEP President Tommy Woycik confirmed Ersher’s account, but emphasized that the company does not believe all of its customers are impacted.

“NEXTEP was recently notified by law enforcement that the security of the systems at some of our customer locations may have been compromised,” Woycik wrote. “NEXTEP immediately launched an investigation in cooperation with law enforcement and data security experts we retained to determine the root cause and remediate the issue. We do know that this is NOT affecting all NEXTEP customers, and we have been working with our customers to ensure that any issues are addressed.  This remains an ongoing investigation with law enforcement. At this stage, we are not certain of the extent of the breach, and are working around the clock to ensure a complete resolution.”

A breach at a point-of-sale vendor can impact a large number of organizations, and historically the chief victims of POS vendor breaches have been food service establishments. Last year, a pattern of credit card fraud at hundreds of Jimmy Johns sandwich shops across the country was traced back to security weaknesses that fraudsters were exploiting in point-of-sale systems produced by POS vendor Signature Systems Inc. Signature later disclosed that the breach also impacted at least 100 other independent restaurants that use its products.

Earlier this year, Denver-based point-of-sale vendor Advanced Restaurant Management Applications (ARMA) disclosed that malware attacks on its POS devices exposed credit and debit cards for a number of its clients’ customers in Colorado, many of them restaurants.

Another point-of-sale vendor breach uncovered last year by KrebsOnSecurity — that of C&K Systems — lasted 18 months and resulted in card fraud for customers of some 330 Goodwill locations nationwide.

It’s unclear what’s behind the NEXTEP breach, but if previous such breaches are any indicator the incident may have involved stolen credentials used to remotely administer affected point-of-sale systems. In June 2014, POS vendor Information Systems & Supplies Inc. notified (PDF) customers that a breach of its Log-Me-In account exposed credit card data of stores that used its systems for nearly two months last year.

With remote access to point-of-sale devices, crooks can then upload card-stealing malicious software to the POS terminals. The stolen card data is quite valuable — typically selling for anywhere from $20 to $100 per card on underground cybercrime stores. Crooks can encode the stolen card data onto anything with a magnetic stripe and use the counterfeit cards to buy high-dollar merchandise at big box stores.

It seems quite likely that we’ll hear about additional breaches at POS vendors in the weeks ahead. KrebsOnSecurity is currently in the process of tracking down the common thread behind what appear to be breached POS vendors tied to three different major cities around the country.


30 thoughts on “Point-of-Sale Vendor NEXTEP Probes Breach

  1. kia

    The use of tokenize and disposal credit cards needs to be accelerated.
    There will always be malware and vulnerabilities, but at least the risk can be reduced by some levels.

    I’m not promoting any vendor. It’s just a better option

  2. petepall

    “…working around the clock…” That’s a new one to add to the litany of those organizations caught with their security pants down (so to speak).

    1. Old School

      Or maybe “…working around the clock…” signifies a new generation of corporate boilerplate. If so, I hope that it replaces “we take security very seriously”.

  3. Donald J Trump

    The credit card industy real need to start implementing chip and pin cards across the United States at a much faster rate.

  4. bill

    My opinion is it’s safe to assume every non EMV card system is breached. Whether they get to your card data and use it is luck of the draw. Not if but when.
    The fact the CC Companies haven’t greatly accelerated deployment of EMV cards and POS hardware shows the the profit must still be great enough over losses, since that is what drives all CC companies anyway.

    An while EMV may not be the end all answer, the fact that the credit card companies are going to switch liability responsibility to the “least compliant” company in the fraud transaction on OCT 1, should help people wake up and upgrade

  5. Marty Acks

    While EMV solves a class of problems, it seems that the new generation of card readers that encrypt card data at the head and keep it encrypted until it gets to the payment gateway or processor significantly increase credit card security. In this case, at most, you only see the last 4 digits or a token that can not be decrypted from the merchant system. These will make both EMV and mag stripe transaction more secure.

  6. jim

    I think for all the brainpower here, the shotgun missed the target. Please re read the article, the problem is from the program/vendor, not the other side, the card or the chip and pin.
    Its sounds as if the implementation of chipb and pin would have delayed the break in for days of computing time, but would have transmitted the data to the bad guy anyhow, and the bad guys could still have used the chip and pin at major retailers by just playing fed-ex or whoever else would do third party package delivery. So some part of their sscan program is compromised?
    Could there be no firewalls? Even the xp ver 1 has firewalls! Yeh, you have to implement them, maybe a comprised firewall?

    1. BrianKrebs Post author

      Jim’s right. EMV would not have stopped the thieves from stealing card data in this breach. If the crooks can remote-access into the point-of-sale machine over the internet, there is little to stop them from stealing the card data. Granted, if they were chip-only transactions going through the point-of-sale, that would make the stolen card data good only for online transactions. But the crooks would still be able to steal the card data.

  7. Coop

    LoL.. “Working Round the Clock..” Sort of like the cops in “The Big Lebowski” when they were looking for who stole the “DUDE’S” car… POS Providers need to take on some of this responsibility and stop dumping it all on the merchants..

  8. Mike

    I wonder what would have happened if I had visited Zoup a month ago questioning this system? They would have looked at me like I was a conspiracy theorist kook.

    Meanwhile, at The Outback Steakhouse, every table gets a tablet for orders and payments. Not only making the staff lazy but setting up customers for the very same problems Zoup is now dealing with. This isn’t innovation or being modern, hip, or 21st century……this is current events and lessons not learned.

    1. Rick Blaine

      What? No waiter. No tips? No small talk and fake interest in me as a customer? Thanks Outback. BTW, I am becoming a cash customer every day I read this site!

      1. GG

        Cash doesn’t give 2% back or come with fraud protection though.

        1. Rick Blaine

          I agree, the 2% or even 5% solution bait is hard to pass up, but push come to shove, I intend to shove back with green lettuce. Hack that! 🙂

  9. TDJ_UK

    EMV prevents cards being created from the transaction data and used in POS terminals for either online or offline transactions because of the card authentication (CAM) processing. EMV doesn’t prevent card not present (CNP) transactions. CVV2 and 3-D Secure are designed to counteract CNP fraud.

  10. jim

    Agreed it delays the problem, makes you think you are safer. But, check with any foreign friend, and see if the fed-ex, or the local delivery services have stopped cod deliveries, or have they stopped selling prepaid cards on amazon, or in turkey? Bet not. Its still a big business. Are you using a unnetworked computer, weak then a cell phone, one of the best fastest devices on the market? You now have a massive powerful device that filled a room in the 90’s. Same with the bad guys. And they play more then doom 95 on them. Who knows what program they use? Or how that program has been optimized, even the government won’t say what they are using or doing, and they are supposed to be the good guys. An old maxim has that you are only as secure as the bad guy thinks you are. So are you?
    Now, remember you college days, that’s when according to educational standards you were the best and brightest, did you learn anything between then and now, those profs were smart then, would they be considered the leaders now? That’s the kids you are setting up now, to be the department leaders, or is it the MBA in business who the department leader, who is friends with the CEO who won’t listen, yadda yadda, stop the unions , second adment. Yadda.

  11. Rick Blaine

    Must I comment that cash is KING again? I use credit cards all the time and like their convenience, but even with rewards….. its just not worth it.

    Brian Krebs: Is it silly to go back to cash right now or just use credit for purchases over say, $10 ?

    1. timeless

      Carrying around cash is asking to lose cash, with no possibility of recovery. Plus, you lose any rewards, and it won’t help you build credit (essential if you plan to buy a property).

      As long as you have two credit cards, one for general use and one for use while you wait to receive the replacement for the first one, you should be ok.

      If you can get a card which offers virtual card numbers, I’d encourage you to use it for online only (never the real card, just the virtual numbers), and then use another for in person.

      Something to consider:
      Google Wallet’s tap system apparently doesn’t give out your credit card number, so for tap, that’s a possibility.

      I haven’t investigated it yet…

      1. Rick Blaine

        I understand the positives of a card.
        Simply pay off your debts in cash and you will establish good credit. My parents never had a credit card and did just fine. (they never rented a car however 🙂

        Also, no one lost their identity as far as I know with cash. Maybe with a check, but not with cash.

        Thanks for the reply though and I hear you.

  12. Povl H. Pedersen

    USA is hackable because they have the worst systems in the world. Why still use magstripe ? In Europe it is a fallback only.
    We use chip&pin, P2PE certfified or P2PE like systems. No way the store can get any access to cardholder data apart from the 6+4. The first 6 needed to do bin-table lookup to decide on charges.

    The PoS is just a client to the P2PE certified payment terminal, which is typically just an embedded Linux talking directly to the clearing house, not listening to any ports. You can send command to it to force it to check the admin server (often at clearing house) for updates to firmware or config.

    But the USA is just so slow to catch up on the technology front, which is why the US is responsible for 80-90% of all credit card breaches.

    1. Rick Blaine

      I agree! Not only that, but even some gas (petrol) stations have stopped using cash for payment. Can you imagine? A merchant that refuses cash?

      But perhaps understandable if robbery is to be avoided. How ironic though that cash is NOT accepted. I carry a card just in case for these rare occasions of lunacy.

      1. William

        No cash means nothing for robbers to steal from the gas station.

  13. Ed

    Its seems apparent what the vulnerability is and if it is what I think it is then almost all POS devices are vulnerable, including those in Europe. POS devices must not accept or use data associated with an account at a financial institution. Tokens work only so well. Use of Derived Unique Key per Transaction (DUKPT) on the token from a tamper resistant hardware device with the use of a PIN likely will put this form of attack (if it was I think it is) out to pasture for good. However the move to EMV may well increase this type of attack. This type of attack looks like a cockroach in that if you see it in one device then there has to a lot more out there.

  14. Toke

    As Brian highlights; “If the crooks can remote-access into the point-of-sale machine over the internet, there is little to stop them from stealing the card data”.

    Why not address the fundamental issue of making remote access and support software part of the security strategy? Verizon Risk Report stated that remote access was the vector used in 88% of all data breaches in 2013.
    You don’t need to close the door – but make sure it has the appropriate locks.

    I would argue that something as simple as enforcing two-factor authentication in their remote support solution would have potentially eliminated the breach.

  15. Simple

    Folks: The point of this article was not that pin pads can or haven’t been breached but who is or was doing this… I work for a POS vendor and we install small to large chain grocery stores and this is not rocket science. Technology on all parts of the POS help resolve this issue:
    1-Antivirus on the POS terminal – remotely monitored by POS Vendor
    2-Wirewall setup correctly on POS terminal
    3-PCI compatible POS application
    4-Hardware Firewall appliance used for security
    5-Common sense training to Cashiers
    6-Best Practices for handling CC and CC data

    If you can’t get to it (pin pad) you can’t steal it (credit card data), and yes it cost money to put these things in place but not a arm and leg – work with a reputable POS Vendor and you troubles will be minuscule.

  16. Banker

    I understand that Zoup has been the only known merchant that has been effected by this breach. Is there a list of merchants that use Nextep. Any information to help mitigate risk and loss is appreciated!

  17. Unbelieveable

    Nextep is now “breaching” other organizations by pushing software without getting permission to its clients!

    If you are a Nextep client check your systems for FireAMP being installed.

  18. Dan Tses

    Well, I am not surprised with that fact – actually electronic system is not stable and secure – maybe with time they will improve it, for example is constantly developing their security

  19. Dannie

    “It’s unclear what’s behind the NEXTEP breach, but if previous such breaches are any indicator the incident may have involved stolen credentials used to remotely administer affected point-of-sale systems.” Any updates on what POS malware was used?

Comments are closed.