08
Jul 17

Self-Service Food Kiosk Vendor Avanti Hacked

Avanti Markets, a company whose self-service payment kiosks sit beside shelves of snacks and drinks in thousands of corporate breakrooms across America, has suffered of breach of its internal networks in which hackers were able to push malicious software out to those payment devices, the company has acknowledged. The breach may have jeopardized customer credit card accounts as well as biometric data, Avanti warned.

According to Tukwila, Wash.-based Avanti’s marketing literature, some 1.6 million customers use the company’s break room self-checkout devices — which allow customers to pay for drinks, snacks and other food items with a credit card, fingerprint scan or cash.

An Avanti Markets kiosk. Image: Avanti

An Avanti Markets kiosk. Image: Avanti

Sometime in the last few hours, Avanti published a “notice of data breach” on its Web site.

“On July 4, 2017, we discovered a sophisticated malware attack which affected kiosks at some Avanti Markets. Based on our investigation thus far, and although we have not yet confirmed the root cause of the intrusion, it appears the attackers utilized the malware to gain unauthorized access to customer personal information from some kiosks. Because not all of our kiosks are configured or used the same way, personal information on some kiosks may have been adversely affected, while other kiosks may not have been affected.”

Avanti said it appears the malware was designed to gather certain payment card information including the cardholder’s first and last name, credit/debit card number and expiration date.

Breaches at point-of-sale vendors have become almost regular occurrences over the past few years, but this breach is especially notable as it may also have jeopardized customer biometric data. That’s because the newer Avanti kiosk systems allow users to pay using a scan of their fingerprint.

“In addition, users of the Market Card option may have had their names and email addresses compromised, as well as their biometric information if they used the kiosk’s biometric verification functionality,” the company warned.

On Thursday, KrebsOnSecurity learned from a source at a law firm that the food vending machine in its employee lunchroom was no longer able to accept credit cards. The source said his firm’s information technology personnel told him the credit card functionality had been temporarily disabled because of a breach at Avanti.

Another source told this author that Avanti’s corporate network had been breached, and that Avanti had made the decision to turn off all self-checkouts for now — although the source said customers could still use cash at the machines.

“I was told that about half of the self-checkouts do not have P2Pe,” the source said, on condition of anonymity. P2Pe is short for “point-to-point encryption,” and it’s a technological solution that encrypts sensitive data such as credit card information at every point in the card transaction. In theory, P2Pe should to be able to protect card data even if there is malicious software resident on the device or network in question.

Avanti said in its notice that it had shut down payment processing at some locations, and that the company was working with its operators to purge infected systems of any malware from the attack and to take steps to “substantially minimize the risk of a data compromise in the future.”

THE MALWARE

On Friday evening, security firm RiskAnalytics published a blog post that detailed an experience from a customer who shared a remarkably similar experience to the one referenced by the anonymous law firm source above.

RiskAnalytics’s Noah Dunker wrote that the company’s technology on July 4 flagged suspicious behavior by a break room vending kiosk. Further inspection of the device and communications traffic emanating from it revealed it was infected with a family of point-of-sale malware known as PoSeidon (a.k.a. “FindPOS”) that siphons credit card data from point-of-sale devices.

“In our analysis of the incident, it seems most likely that the larger vendor was compromised, and some or all of the kiosks maintained by local vendors were impacted,” Dunker wrote. “We’ve been able to identify at least two smaller vendors with local operations that have been impacted in two different cities though we are not naming any impacted vendors yet, as we’ve been unable to contact them directly.”

KrebsOnSecurity reached out to RiskAnalytics to see if the vendor of the snack machine used by the victim organization he wrote about also was Avanti. Dunker confirmed that the kiosk vendor that was the subject of his post was indeed Avanti.

Dunker noted that much like point-of-sale devices at many restaurant chains, these snack machines usually are installed and managed by third-party technology companies, adding another layer of complexity to the challenge of securing these devices from hackers.

Dunker said RiskAnalytics first noticed something wasn’t right with its client’s break room snack machine after it began sending data out of the client’s network using an SSL encryption certificate that has long been associated with cybercrime activity — including ransomware activity dating back to 2015.

“This is a textbook example of an ‘Internet of Things’ (IoT) threat: A network-connected device, controlled and maintained by a third party, which cannot be easily patched, audited, or controlled by your own IT staff,” Dunker wrote.

ANALYSIS

Credit card machines and point-of-sale devices are favorite targets of malicious hackers, mainly because the data stolen from those systems is very easy to monetize. However, the point-of-sale industry has a fairly atrocious record of building insecure products and trying to tack on security only after the products have already gone to market. Given this history, it’s remarkable that some of these same vendors are now encouraging customers to entrust them with biometric data.

Credit cards can be re-issued, but biometric identifiers are for life. Companies that choose to embed biometric capabilities in their products should be held to a far higher security standard than those used to protect card data.

For starters, any device that requests, stores or transmits biometric data should at a minimum ensure that the data remains strongly encrypted both at rest and in transit. Judging by Avanti’s warning that some customer biometric data may have been compromised in this breach, it seems this may not have been the case for at least a subset of their products.

I would like see some industry acknowledgement of this before we start to see more stand-alone payment applications entice users to supply biometric data, but I share Dunker’s fear that we may soon see biometric components added to a whole host of Internet-connected (IoT) devices that simply were not designed with security in mind.

Also, breaches like this illustrate why it’s critically important for organizations to segment their internal networks, and to keep payment systems completely isolated from the rest of the network. However, neither of the victim organizations referenced above appear to have taken this important precaution.

To illustrate this concept a bit further, it may well be that the criminal masterminds behind this attack could have made far more money had they used the remote access they apparently had to these Avanti devices to push ransomware out to Microsoft Windows computers residing on the same internal network as the payment kiosks.

Tags: , , , ,

62 comments

  1. Did this just capture card/bio data from usage or did it also get bio data that was stored? We have this at work but I haven’t used it in nearly a year with my finger print and never my credit card.

    • Davidc,

      There is no evidence any biometric data was compromised. Historically BackOff/PoSeidon is RAM scrapping malware. It scanners the memory of running processes looking for credit card track data (stuff read off your mag stripe). It also includes a key logger.

      This is consistent with the version reported in this incident.

      It’s unlikely, yet possible, that other data could be stolen. That is not the motivation or MO of the actors using this malware though.

      • Sorry double post. I failed to reference the part of the article that says there is no evidence of biometric data being stolen.they just state it “may” be at risk because the data is on the machine that was infected.

        We have to wait to learn if it was stolen as well. If so that will be an interesting development.

        • ok cool. Thanks SC for your reply to my question.

          • The “notice of data breach” linked at the top of the article leads to a FAQ (Frequently Asked Questions) page which has been updated to read:

            “Was biometric data compromised?

            No. In an abundance of caution, our original notice advised customers who used their Market Card and the kiosk’s biometric verification functionality may have had their biometric data compromised. We are happy to report that we are now able to confirm all kiosk fingerprint readers supplied by Avanti include end-to-end encryption on such biometric data and as such this biometric data would not be subject to this incident as it is encrypted.”

  2. Never give your biometric data unless you absolutely have to – and making payments for snacks doesn’t qualify. Once that data is stolen there is no going back and changing it like a password or credit card.

    • A thousand times yes. I avoid biometric like the plague. You have no idea whether they are securing it correctly, whether they are storing the results of the biometric hashing algorithm or actually keeping copies of the raw scan and, as Canuck said, no changing your fingerprint or retina if that is compromised. I don’t know why I would trust these companies to implement and secure biometric data properly when they can’t implement and secure simple password hashes and secure card data. It only takes one screw up for something to leak.

  3. In almost every single one of these type of incidents (which only seem to happen in the US, I might add) the merchant has been using POS application software running on Windows to process payment card data captured using generic magstripe readers. Why is this allowed? It seems to be the norm in the rest of the world that card-present transactions are processed using dedicated payment terminals supplied by the bank or processor. Is there not a point where American banks and processors will stop allowing merchants to process card payments using their own software?

    • @Spoons, I don’t know where you’re referring to by “the rest of the world,” but Square provides a card reader that connects to most tablets (Android, iOS, and I think Winders?). It’s available in Canada, the UK, and Japan.

      • Square is a bit of an exception since it runs on iOS/Android where applications are subject to far stronger isolation than on Windows.

      • You’re wrong. Most of the rest of the world use third party payment processing devices, just like the USA. I’m not sure where your information comes from, but it’s severely flawed.

    • Those card devices in other countries connect to a back of house machine. Often those machines are windows. I think the bigger issue is slow adoption of p2pe or Emv.

    • Basically, the PIN code is a lot more protected than the card number (and the rest of track 2 data, i.e. CVV (not the same as CVV2) and expiration date).

      The PIN code is encrypted straight in the tamper-protected PIN pad with a key belonging to the card processor (it’s a bit more to it than that, but this is the basic principle). The equipment at the merchant and the other links in the chain are never allowed to see it.
      The card number / track 2 data are a lot less protected. In some older setups it’s even sent unencrypted on the wire. You just aren’t allowed to save it.

      Even when you have a proper standalone reader, chances are the card number goes through the POS system. This is where the POS malware comes in and picks it up in transit.

      This is how it works at most big shops with their own processing systems regardless of whether you’re in the US or Europé.

      Card security is generally worse in the US, but this particular “hole” happens to be exactly the same.

  4. That’s okay, if your card data gets stolen they can just issue a new card. And new biometric data…wait a minute.

  5. IRS iTunes Card

    Will the P.O.S. breaches ever end?

  6. Good morning Brian. It’s A..M in Colorado.

    Well, there will be breaches , as any electronic device (if penetrable will be penetrated if available to an unknown number of persons that can and will break in, attempting to do so in constant a 24 hr. period.
    So, what about a block of data, that is sealed (imagine a block of something sitting in front of you, just so we can get an image to start this thinking process) and nothing can penetrate it, until the known entrance to this cube/box is activated to open the box for just milliseconds. This is to allow a flow in and out like the ocean’s tide. A truly secured
    This new process, has nothing to do with numbers. For security is not able to flourish when the oppressor/hacker/thief is using the same knowledge base to play on the World Wide Web…as the oppressed
    This new process can never be allowed to enter the Web with out an intrinsic, and conscious effort to figure out that it cannot be open source code non-sense. We the persons that want our business/data secured to be available to the buying public with out infestation. This system cannot be the same 30 yr. old system ( cesspool ) that the Intelligence Services and the thief/hackers/thugs-etc. have been wading in for that long…

    Much like Ham operators use the asteroid showers to bounce off data to the other side of the worlds.

    Thank s for your time.
    c/od

    • So… a black box running non-auditable code that relies on security through obscurity? You’re describing exactly the wrong thing. Why the hate for open source and the desire for a knowledge disparity? Relying on that for security breaks completely when that knowledge escapes, and it always does. It’s time to stop playing with ideals and start working with reality.

  7. I get it that a breach happened. I see a lot of cry about biometric data, though it is not desired but what good is a database of numbers good for anybody? It is not that a database of fingerprints is out–anybody who knows how a biometric system works should know this. Whatever the hackers stole hold no value according to me–definitely Avanti is in newspapers now for wrong reasons.

    • Just remember the biometric option uses just 1 finger, you still have nine others left 😉

  8. why are comments disappearing?

    • Comments go through some automated and occasionally manual moderation. Patience, comments are rarely rejected unless they’re really spam.

  9. I agree with Kabootar. What was stolen was most likely a hash of the biometric not images of the biometric itself.

    • If there is no need to have a fingerprint be recognized at all snack machines in a facility, each machine might store the biometric hash in a secure enclave, like the iPhone, thus there would be nothing to steal, not even a hash.

      (Wishful thinking, I know)

    • We don’t know that though. We have seen companies in the past promise secure passwords only to find out their idea of encryption was XOR. They can’t handle passwords correctly, why would I trust them to store only the hashes and do it properly? The push to biometric is far ahead of the ability of some of these companies to understand and implement technology correctly.

  10. no share button?

  11. More IoT fear mongering: –Because it’s just so realistic to expect every vendor to let your IT department audit, control, and patch the vendor’s devices.

    I bet not even Risk Analytics’ devices let their customers audit or patch them! “Don’t trust third party technology companies to manage anything important, except us, we’re ok”

    • I’m not sure how this is fear mongering. Regardless of whether your company IT takes care of security or the original company, the fact is these devices have almost none. That’s not fear mongering, that’s reality.

  12. Why are companies so reluctant to move to EMV cards all over America (Is it because of $ or simple ignorance)? which means having P2Pe all over so that customer data can be protected in this type of breaches?

    • I can assure at you 100% that any of the companies which are now part of the liability shift of October 2015 are either begging for EMV, or have a business that has a low risk threshold for chargebacks so they don’t care.

      The problem is that there is still a backlog for companies waiting to get certified for EMV. In some cases this can take over a year of just waiting. This is why you see those tabs, and stickers saying “Chip coming soon”. What you don’t see is the business is getting beat to high hell over head with chargebacks they now no longer have liability rights to. These chargebacks are mainly due to counterfeit fraud from criminals purchasing stolen numbers and creating a blank.

      If the transaction was chip, the safer way to transact…..then they would not be liable for any fraud. However, you will NEVER have a 100% Chip environment due to a variety of factors. Even places like Wal-Mart do not process 100% Chip.

      It would be great to have complete end to end encryption 100% of the time, but we’re a ways from it.

  13. Years ago when our company switched from old style machines to Avanti, they gave us ID cards with a $5 credit to entice us to use it. I completely stopped buying snacks, lunches, and drinks at work because they required a credit card number to activate the card.

    I don’t want any company databasing my purchase history, dates, times, and calories of food preferences.

    I have saved quite a bit of cash and some privacy by refusing to use the Avanti market. I am sure they think my employer lied about their snack sales because many of my coworkers also refused to trust them and started bringing in lunches or ordering delivery.

    • I just use quarters when I have them, otherwise, I don’t need a snack.

      (and yes I can”afford” snacks but choose not to swipe my card on an unattended machine…)

    • We have them also and we got UPC cards for transactions (only $2.00 credit) but a CC wasn’t required. I charge the Avanti UPC card with cash and draw off of it. Recently, the kiosk was updated with a fingerprint scanner but I won’t use it.

  14. The facilities team in our company used to come to IT for ‘network connections for the new vending machine’, along with a set of documents from the vendor that provided little information beyond the ports need to ‘whitelist on the firewall’.

    Recently introduced ‘honor system’ kiosks have a full camera system and DVR that the vendor requires direct connectivity to for auditing of purchase.

    We have flatly told facilities and these vendors that they will never connect to our network. Many have balked when we require them to provide their own connectivity — “All of our other customers let us on their networks”…. But if they want the business they inevitably find that their own IT department has a stand-alone 4G connection option, which they must eat the cost of.

  15. Its off topic but I have posting warnings on this forum about a scammer posing as a recruiter for a staffing company. He is spear phishing for his victims claiming to have specific jobs in his target’s geographic metro areas (that means he is finding their resumes on job boards).

    He send the targets emails from his own domains with links to his own web sites that look like staffing company sites. The scammer is even using US based hosting companies.

    he convinces people to participate in a phone interview and then says he needs their SSN and partial DOB to submit to the hiring client. With services like familytreenow.com he gets the missing information and then steals their identity. I created a Blogger site with an accompanying gMail account to warn others. For a while I stopped checking after it seemed like he stopped. I just check the accounts and he is active again. I have updated my site. Be warned. Even these low level scammers are getting sophisticated and are willing to invest nearly $4,000 to register domains and pay for hosting services.

    The blogger site I built with the full list of domains that I have traced to him is at the following. The blogger site has no advertising and I am not getting any financial payback. I think he used pre-paid credit cards to buy the domains for a year and the really old ones have expired on the list.
    https://fakestaffing.blogspot.com

    Please spread the warnings that these scammers are no longer relying on iAmaScammer@gmail.com. or iamascammer@hotmail.com or outlook.com. or the old obvious domains.

  16. Good joke:
    2 carders sit in the bar.
    first carder saing,to other carder
    u know i changed my orintation.
    second carder…asking what you mean??
    Are you gay ?? Other carder answer to him ,no i mean
    i changed from bank transfers to Pos lol.
    other carder saing im bi-sexual i do both jobs lol 😉

  17. Brian-

    The date on the article is wrong. It shows next Monday as the date.

  18. IoT?

    Not that I care to nitpick, but we have one of these where I am- and it has a regular old Dell running Win10 inside it- probably running PoS software.

    It’s uncomplicated, and therefore probably vulnerable as a consequence- but I’m not sure this ~quite~ qualifies as IoT.

  19. Brian, it seems to me there’s little doubt that your next book should be called “Suspicious Behavior by a Break Room Vending Kiosk.”

  20. Antoine Bajolet

    Like there in Europe, it’s up to Lawmakers to impose use cases and protection of biometric data – because of their non-repudiation characteristic.

    Practicaly, only some of certified FIPS-140-3 hardware device could capture and process biometric datas, with only a salt/hash of the biometric data as output, with salt unique to each physical device and as difficult as extract than a private key in a HSM.

    Any solution which transmits biometric data (even encrypted) is a deep mistake

  21. Can someone explain what some of the negative consequences of this attack are?

  22. What are some of the negative consequences of this attack?

  23. We have a kiosk at work, but my funds are loaded via their website, not by swiping my card at the terminal. Will this be affected too?

  24. With this new look (due to what I assume is in response to a ddos), at least I can make sense of the dates now!!!

    THIS IS A HUGE THING! It makes me freakin nuts the way it was being done.

  25. ᕕ(°▼°)ᕗ

    While the point of entry was not disclosed, its likely some old/weakly protected admin entry point or an old dev stack/dlls

    A possible solution to the continual attack on IOT, SoHo devices and network capable appliances in general, may lie in removal of the attack surface. We all know the easiest method is cracking the admin software, like the webgui (http), telnet, ssh, ftp, snmp and so forth.

    These things sit on these devices for years, rarely used, cept maybe during initial config. They are rarely part of the device’s update cycle. Vendors send out patches to make the product better but overlook the admin tools and the software stacks its made from. But web guis are a necessity these days, the average user just wants an easy way to config and forget.

    And with offboarding (toggle/switch based air gap) the admin tools and other rarely used features, would provide 100% protection, regardless of consumer IT skill, vendor lifespan and default pwds. Products retain their ease of use when needed and secure when not, no longer easy pickings for quick botnet takeovers. Who cares if my IOT runs 2002’s bug ridden firmware, the stuff rapid bots exploit is not even connected to the mainboard, cept during that 5/10/15 min period i need to cfg my device.

    I just want hit the toggle switch with a built-in 10 min timer, so i can configure my net-enabled printer/fridge, etc via the webgui, when done the switch breaks (fail to safe spring) the connection and now my IOT is secure. Well least from the low hanging fruit, i know theres tons more vectors to attack from. I offboarded my wifi router, all vendors admin tools are on external storage, which i put into a drawer 10ft away, with no issues. When i need to cfg it, i just reconnect the storage device and web in, cfg and yank the storage device, simple, fast and secure. Would be easy to relocate all my IOT vendor admin tools from the devices to my USB stick and have one item to configure them all. And for vendors to implement this would be trivial.

  26. “Credit cards can be re-issued, but biometric identifiers are for life. Companies that choose to embed biometric capabilities in their products should be held to a far higher security standard than those used to protect card data.”

    Like Krebs writes: Fingerprints, iris scans etc are biometric IDENTIFIERS. They can be used to IDENTIFY someone. They cannot be used to AUTHENTICATE anyone.

    Why does so many working in the payment/security businesses not get this simple fact?

    Recently I saw MasterCard attempting putting a fingerprint reader on a credit card. The journalist first put her thump on the fingerprint reader, after which she used the same thump to remove the card. Ie: Any thief would have both card and fingerprint. Can it get any easier?

  27. A lot excellent conversation about the security of the POS scanners and some about biometric. I have not noticed any discussion about how Avanti stored and protected any customer PII on their network. There might be more at risk here than just a couple of models of poorly secured POS devices and intercepted transaction traffic.

    • I have been screaming the same thing for a week now. We’re a 3rd party service supplier with two kiosks. I work on the vending side with portal access to the market sales data for ordering purposes. Three weeks ago, I started poking around the portal. Had major issues with a basic user list. I’m funny in that I like to keep those things tight. There were 2 duplicate users, and four Avanti employees. Made a call to find out how to fix the issue only to be told that I need to talk to our company sales rep. In my mind the Avanti people are getting ready to bug out.

      • Nice insight Rick. In one of the Avanti FAQs (there have been several and each a little different) it was stated that the transactions are not performed by Avanti but rather a “third party” which they never name. It was also stated the hack occurred through an employee workstation at this “third party”. If Avanti does not retain customer card and personal PII, it seems the “third party” needs to be brought into the conversation with specific details about their part in this whole affair and their forensics investigation to secure the same. Just thinking.

  28. Had a similar issue like this with Avanti last year and the customer service representatives didn’t want to say it was their machine at all that was taking my money from my account when I only bought something from that machine three times in a span of a year. Over that full year this machine or company took over $300 for my account. This has since been dealt with but coworkers at my place of business at the time didn’t want to believe me that it happened. I’m glad they finally figured this out. (On a side note this issue in my instance was in July of last year)

  29. Here at my work, we have a similar self-serve kiosk for snacks but made by different company. I’m sure it’s only a matter of time until it is compromised as well.

  30. We have an Avanti kiosk in our breakroom. Avanti or our local vendor had shut down the payment processing capability, presumably since ours was flagged as a compromised kiosk. Now they have replaced the credit card reader. They now say that it is ok to use. We are not putting in back into production until they can prove they’ve done some type of malware eradication from the machine. Unfortunately our local vendor doesn’t have the capabilities to do that, and Avanti isn’t helping them yet. Our local vendor seems to think that replacing the credit card reader with a p2pe devices is the final fix, and I’m not sure they understand malware could still be on the kiosk, even if it can’t steal the credit cards out of memory any more.