Malware attack against Avanti micro market kiosks pushes card reader retrofits
A data breach caused by a July 4 malware attack has pushed Avanti Markets, a provider of self-service breakroom kiosks, to retrofit most of its card readers with a more secure device. The company continues to investigate the cause of the attack which targeted customers' personal information.
The only kiosks compromised were those that had not been retrofitted with a new payment device that better protects against cyber attacks, Laura Alikpala, the company's director of marketing, told Kiosk Marketplace. The company began retrofitting its kiosks three months ago with the Ingenico Group's iUC285 cashless device. The kiosks previously contained magstripe card readers, which were more vulnerable to malware.
"Not all of our operators completed their (retrofit) work," Alikpala said.
When the company discovered the malware attack on July 4, only about half of its 7,000 installed kiosks had been retrofitted with the new payment device. Since the attack, Alikpala estimated that between 85 percent and 90 percent of the kiosks now have the new reader.
New reader improves security
The Ingenico iUC285 device accepts all payment methods within a single module, including NFC/contactless, magstripe and EMV. The device is PCI PTS 4.x certified, which is designed to meet the most stringent hardware and software security requirements.
"The exposure to the consumer data is fully encrypted as soon as they (the user) swipe the card," Alikpala said for the new cashless reader.
Rob Chilcoat, a specialist in the acceptance of unattended cashless payments, said the Ingenico iUC285 provides end-to-end encryption which would protect against data breaches of this kind. Cardholder data is encrypted inside the payment terminal before it leaves the terminal, which renders this type of malware attack fruitless.
"It's my most popular product," Chilcoat, president of UCP Inc., said of the Ingenico iUC285. "I'm shipping more of those than anything else."
Company responds to malware attack
On July 4, Avanti Markets noticed anomalous network traffic at one of its kiosk locations.
"We were able to shut it down," Alikpala said. "We were able to identify those (kiosks) that we believe were affected by the malware." Once the systems were shut down, the company replaced the legacy card readers with the new ones.
The company presently has two external forensic teams investigating the cause of the recent attack.
"The most likely scenario is that their network was compromised by an attacker," said Noah Dunker, vice president of engineering at RiskAnalytics, a managed security provider that independently confirmed the Avanti Markets malware attack. Dunker said the attacker figured out how they could deploy malware to the kiosks.
RiskAnalytics discovered the breach at one of its customer locations that had an Avanti Markets kiosk plugged into its local area network.
"Our system alerted us to a machine on our customer's network," said Dunker. "The machine on our customer's network was using an SSL certificate that had been attributed to malware dating to 2015."
"Alert number two is that it had made check-ins to a different IP address very close to where that certificate came from that looked an awful lot like the FindPOS or PoSeidon point-of-sale malware," he said.
"When we saw that those two things were happening on the same machine, at almost the same time, we alerted the customer once we could get ahold of them on Wednesday morning that there was something on their network using point-of-sale malware," he said.
The customer unplugged the kiosk.
In talking to others in the security community, Dunker learned of a similar event at around the same time in another state.
"I confirmed with that entity that it was also a kiosk primarily serviced by Avanti," he said. "At that point, we knew there was some kind of an outbreak."
Operator took corrective action
One Avanti Markets kiosk operator, Coca Cola Bottling Co. of Yakima & Tri-Cities, was alerted shortly after the malware attack was discovered and was able to take corrective action.
"They (Avanti Markets) were able to identify the ones that had been breached and they took them off right away," said Jeff Hemp, on-premise manager for Coca Cola Bottling Co. of Yakima & Tri-Cities, which operates 63 Avanti Markets kiosks. The company's four affected kiosks were all at one account, Hemp said. Avanti Markets quickly provided retrofits for these four kiosks.
Because the company housing the four kiosks was closed at the time the breach was discovered, Avanti Markets does not believe any customer information was breached.
"As far as we know at this point there haven't been any issues," Hemp said.
After The Yakima Herald-Republic ran a story about the data breach a few days after it was discovered, Hemp's company received a lot of calls from customers anxious to know if their personal information had been compromised.
The company assured its customers their information was secure, Hemp said. They directed them to the Avanti Markets' website, which has posted "Frequently Asked Questions" summarizing the steps the company was taking and advising customers who to contact if they felt their personal information was stolen.
"I think they're doing a great job," Hemp said of Avanti Markets.
Operator raises concerns
Another Avanti Markets operator said he was concerned about the breach even though none of his kiosks were compromised. The operator, who did not want to be identified, said his competitors were using the news about the breach against him. At least 20 customers sent him copies of media reports about the breach and wanted to know what the company was doing about it.
"It just kind of casts a cloud on the industry," the operator said.
Despite his concerns, this operator also commended Avanti Markets for updating both operators and customers on what they were doing about the problem.
By responding to the data breach proactively, Avanti Markets protected its customer relationships. The event also drove the company to complete most of its card reader retrofits.
Elliot Maras is the editor of KioskMarketplace.com and FoodTruckOperator.com.