Kiosk Malware Avanti – PoS malware hits food kiosks, steals payment

By | July 10, 2017

 

PoS malware have recently been found in the payment kiosks by US-based vendor Avanti, stealing payment card and biometric information.

Source: www.helpnetsecurity.com

Avanti published an incident report

Krebs did a nice article on it as well.

WHAT HAPPENED?

The technology and back-end platform that we use to facilitate a 24-hour, self-service marketplace for customers is supported by our technical team and it is serviced and maintained by a network of operators around the country. We believe that sometime shortly before July 4, 2017, the workstation of one of the third party vendor’s employees became infected with a sophisticated and malicious malware attack, although our investigation has not enabled us to determine the precise nature of the attack. The malware wound up affecting some kiosks.  Within hours of learning of this incident on July 4, 2017, we worked with our vendor to remove the malicious code associated with the malware attack and preliminary testing indicates these efforts prohibited further persistent activity by the malware.

WAS MY INFORMATION ACCESSED?

We are currently conducting an extensive IT forensic investigation to determine the extent of the attack, including which kiosks were affected. We have determined at this point that the attack was not successful on all kiosks and many kiosks have not been adversely affected. Additionally, based on our investigation at this time, it appears this malware was only active beginning on July 2, 2017.  Accordingly, if you did not utilize a kiosk between July 2, 2017 and July 4, 2017, you were likely not affected by this attack.

WHAT INFORMATION WAS COMPROMISED?

As you know, the kiosks do not collect certain data elements (such as Social Security Number, date of birth, or federal or state identification number) from customers.  Accordingly, those elements of personal information were not subject to compromise.

However, for customers that used a payment card to complete a purchase on an infected kiosk, the malware may have compromised cardholder first and last name, credit/debit card number and expiration date. In an abundance of caution, our original notice advised customers who used their Market Card to make payment that they may have had their names and email addresses compromised, as well as their biometric information if they used the kiosk’s biometric verification functionality.  We are happy to report that we are now able to confirm all kiosk fingerprint readers supplied by Avanti include end-to-end encryption on such biometric data and as such this biometric data would not be subject to this incident as it is encrypted.

WAS BIOMETRIC DATA COMPROMISED?

No.  In an abundance of caution, our original notice advised customers who used their Market Card and the kiosk’s biometric verification functionality may have had their biometric data compromised.   We are happy to report that we are now able to confirm all kiosk fingerprint readers supplied by Avanti include end-to-end encryption on such biometric data and as such this biometric data would not be subject to this incident as it is encrypted.

DID THIS ATTACK AFFECT ALL KIOSKS? 

No. In May 2017, we began working with our operators to roll out an end-to-end encryption solution to all kiosks. At the time of the incident, the solution had been installed in more than 50% of kiosks. The payment card information on these kiosks was not affected.  At this stage, we have determined the attack was not successful on all kiosks and many kiosks have not been adversely affected at all.  We believe approximately 1,900 kiosks have been affected, a fraction of the total kiosks in use.  

HOW DO I KNOW IF THE KIOSK AT MY LOCATION OR THE KIOSK I REGULARLY USE WAS AFFECTED?

As part of our remediation efforts, we have shut down payment card processing at affected kiosk locations.  If your kiosk’s payment card processing has been disabled or “temporarily unavailable” it is likely that your kiosk was affected by this attack. Please note that even if you used an affected kiosk, that does not mean that your personal information was compromised or infiltrated.

WHAT IS BEING DONE TO PROTECT ME?  

We have been working nonstop to address this incident, remediate the attack and mitigate harm.  Immediately upon discovering that our third party vendor was the victim of a malware attack, we worked with our technical team to commence an investigation to determine the scope of this incident and attempt to identify those affected, which included retaining a nationally recognized forensic investigation firm.  We worked with our assembled internal response team and took steps to secure our information systems, including shutting down payment card processing at kiosk locations we believe have been affected.  Within hours of learning of this incident, we worked with our technical team to remove the malicious code associated with the malware attack and preliminary testing indicates these efforts prohibited any further improper access.  We also are continuing to work with our technical team and our operators to purge affected systems of any malware from the attack and taking steps to substantially minimize the risk of a data compromise in the future.

Within only a few days after our discovering the incident, we published detailed information to help affected individuals learn about steps they could take to safeguard their personal information and protect against identity theft. We also developed these FAQs to provide additional information and assist you with gathering information about the incident as well as additional steps you can take to protect yourself.   Finally, we have made available credit monitoring services at no cost to those individuals whose personal information has been compromised. Specifically, we have partnered with Equifax® to provide its Credit WatchTM Silver identity theft protection product for one year at no charge to you. If you choose to take advantage of this product, it will provide you with a notification of any changes to your credit information, up to $25,000 Identity Theft Insurance Coverage and access to your credit report. To enroll, you must first call 800-224-8040 to obtain an authorization code and then follow the enrollment instructions that are located here. You must complete the enrollment process by October 9, 2017. We encourage you to enroll in that service.

WHO IS RESPONSIBLE FOR THIS ATTACK?

We are working with our IT forensic investigators and law enforcement in an effort to determine those responsible.  At this time, the responsible party or parties have not been identified.

I AM UPSET MY INFORMATION MAY BE SUBJECT TO THIS ATTACK.

We understand.  We apologize for any inconvenience this incident may cause you and assure you were are doing everything we can to help.  We have been working nonstop to address this incident, remediate the attack and mitigate harm.  Immediately upon discovering that our third party vendor was the victim of a malware attack, we commenced an investigation to determine the scope of this incident and attempt to identify those affected, which included retaining a nationally recognized forensic investigation firm.  We worked with our assembled internal response team and took steps to secure our information systems, including shutting down payment card processing at kiosk locations we believe have been affected.  We also are working with our technical team and our operators to purge affected systems of any malware from the attack and taking steps to substantially minimize the risk of a data compromise in the future.

Within only a few days after our discovering the incident, we published detailed information to help affected individuals learn about steps they could take to safeguard their personal information and protect against identity theft. We also developed these FAQs to provide additional information and assist you with gathering information about the incident as well as additional steps you can take to protect yourself. Finally, we have made available credit monitoring services at no cost to those individuals whose personal information has been compromised. Specifically, we have partnered with Equifax® to provide its Credit WatchTM Silver identity theft protection product for one year at no charge to you. If you choose to take advantage of this product, it will provide you with a notification of any changes to your credit information, up to $25,000 Identity Theft Insurance Coverage and access to your credit report. To enroll, you must first call 800-224-8040 to obtain an authorization code and then follow the enrollment instructions that are located here. You must complete the enrollment process by October 9, 2017. We encourage you to enroll in that service.

ARE THE PEOPLE WHOSE DATA MAY HAVE BEEN COMPROMISED AT RISK FOR IDENTITY THEFT?

Any person who has personal information compromised does have an increased risk of identity theft.  We are taking a number of steps to help you minimize the chance of identity theft. This includes enrolling in the credit monitoring service as described above.

HOW MANY INDIVIDUALS WERE AFFECTED BY THE DATA INCIDENT?

This incident affected a limited number of kiosks and as such did not affect all customers.  We are working with our IT forensic investigators to determine those who have been affected. At this time, the total number of affected individuals has not been determined.

SHOULD I BE CALLING MY BANK AND CLOSING MY ACCOUNT? SHOULD I BE CANCELING MY CREDIT CARDS?

Of course, you can take these steps if you feel more comfortable.  But, you do not have to close your bank and credit card accounts. Be sure, though, to monitor your bank and credit card statements for accuracy. If you notice any suspicious activity or you believe your information is being misused, please file a report with your local police department and the Federal Trade Commission. You can also enroll in the credit monitoring service as described above.

IS MY SPOUSE/DEPENDENT AFFECTED? 

We have no information at this point to suggest that the information of your spouse/child/dependent has been affected by this incident.   Please note if they also utilized a payment card at a kiosk between July 2, 2017 and July 4, 2017 they also likely were affected by this incident.

WHEN DID THIS EVENT OCCUR?

We discovered the incident on July 4, 2017.  At this stage of our investigation, it appears the malicious malware attack began on July 2, 2017.

WHY DIDN’T YOU TELL ME SOONER?

We believe we acted very quickly to make information available to you following our discovery on July 4, 2017. Our initial website posting was published three (3) days later. These comprehensive FAQs were added a few days after that. However, we have been conducting an extensive internal investigation to understand what happened and what information may have been compromised. This includes coordinating with our technical team, as well our operators. In addition, we needed to retain an IT forensic investigation expert and prepare a process for responding to your follow-up inquiries.

WHAT CAN I DO ON MY OWN TO ADDRESS THIS SITUATION?

There are a number of steps you can take, many of which were detailed in the Customer Notification These include placing a fraud alert with the credit bureaus, reviewing your financial statements, and signing up for credit monitoring.

I RECEIVED AN EMAIL FROM AVANTI REGARDING THIS INCIDENT.  IS THIS LEGITIMATE?

In limited instances, we will endeavor to provide notification to potentially affected individuals via email (if we have a valid email address), as well as responding to emails you may have initiated with us.  However, you should be aware of scam email campaigns related to this incident.  These scams, designed to capture personal information (known as “phishing”) are designed to appear as if they are from Avanti and the emails may include a “click here” link or ask you to “open” an attachment.  These emails are NOT from us.

  • DO NOT click on any links in email.
  • DO NOT reply to the email or reach out to the senders in any way.
  • DO NOT supply any information on the website that may open, If you have clicked on a link in email.
  • DO NOT open any attachments that arrive with email.

Individuals who have provided e-mails to us may receive an e-mail directing them to visit our website for additional information and/or to sign up for credit monitoring.  Any such email will not include attachments, embedded links, or in any way ask for personal information.

I RECEIVED A CALL FROM AVANTI REGARDING THIS INCIDENT AND ASKING FOR MY INFORMATION.  IS THIS LEGITIMATE?

No.  We are NOT calling individuals regarding this incident and are not asking for any of your personal information over the phone.

ORGANIZATION RELATED

HOW CAN I BE SURE THAT MY PERSONAL DATA WON’T BE SUBJECT TO ATTACK AGAIN IN THE FUTURE?

We are doing everything we can to ensure there is no further vulnerability to the kiosks.  In May 2017, before the incident occurred, we began working with our technical team and our operators to roll out an end-to-end encryption solution to all kiosks. At the time of the incident, the solution had been installed in more than 50% of kiosks.

We presently are working with a nationally recognized IT forensic investigation firm to investigate this attack and identify additional safeguards which may be utilized to secure data.  We comply with federal and state privacy laws and work hard to maintain your personal data in a safe and secure environment. This includes redoubling our efforts to expedite the rollout of our end-to-end encryption solution to all kiosks. Additionally, within hours of learning of this incident, we worked with our technical team to remove the malicious code associated with the malware attack and preliminary testing indicates these efforts prohibited any further improper access. We also have been updating all Antivirus Protocols and SW patching, and are continually scanning sample kiosks across the network for anomalies with no positive response.  We take data privacy and security very seriously and are continuing to assess and modify our privacy and data security policies and procedures to prevent similar situations from occurring.  However, no set of safeguards is perfect or impenetrable. 

WHY DO KIOSKS HAVE MY INFORMATION?

It is necessary for the kiosks to have certain data from customers as part of the point of sale process. However, we continually work to minimize, to the extent possible, the amount of personal information that needs to be collected and maintained. For instance, in May 2017, before the incident occurred, we began working with our technical team and our operators to roll out an end-to-end encryption solution to all kiosks. At the time of the incident, the solution had been installed in more than 50% of kiosks. This solution would eliminate the storage of payment card data on the kiosks

I AM CONCERNED ABOUT IDENTITY THEFT – WHAT CAN I DO?

There are a variety of steps you can take, many of which are detailed in the Customer Notification and in the FAQs below.  These include placing a fraud alert with the credit bureaus, reviewing your financial statements, and signing up for credit monitoring.

IS AVANTI DOING ANYTHING TO HELP ME?

Avanti has endeavored to provide notice of this attack as soon as possible.  In addition, we

  • are making available to you at no cost a credit monitoring service which is described above in the FAQs below.
  • have taken steps to ensure that our electronic systems continue to be secure,
  • have notified various third party consultants, IT forensic investigators, and legal counsel to mitigate any possible harm to the extent reasonably possible,
  • have notified applicable law enforcement agencies,
  • will continue to assess and modify our privacy and data security policies and procedures to prevent similar situations from occurring, including redoubling our efforts to ensure our third party service providers maintain adequate data security.

WAS MY HOME ADDRESS INCLUDED WITH THE INFORMATION AND AM I IN ANY DANGER OF BEING ROBBED?

Your home address information was not included. For perspective, your address is likely available through many other sources of public records and is not generally considered sensitive personal information by itself.

IF MY IDENTITY IS STOLEN, OR IF I AM SUBJECT TO AN INCIDENT OF PAYMENT CARD FRAUD, WILL YOU NOTIFY ME WHEN IT HAPPENS?

By checking your credit report and ensuring you have placed a fraud alert to the three major credit bureaus you are taking the steps to limit your risk of becoming a victim of identity theft.  By being proactive with receiving timely credit reports, monitoring your bank and credit card statements, you will be able to notice any inaccuracies as they occur.  In addition, the credit monitoring service we will be making available is designed to alert you to irregularities concerning your credit. We will not have access to this information.

IDENTITY THEFT-GENERAL

WHAT IS IDENTITY THEFT?

Identity theft is the taking of the victim’s identity to obtain credit, credit cards from banks and retailers, steal money from existing accounts, apply for loans, rent an apartment, file bankruptcy or obtain medical services.  Often the victim does not become aware of the crime until months or years after the theft occurs.

WHAT DO I DO NOW? WHAT CAN I DO TO PROTECT MYSELF? HOW DO I FILE A FRAUD ALERT AND GET A COPY OF MY CREDIT REPORT? WHAT ABOUT A SECURITY FREEZE?

There are some simple steps you can take to protect yourself against identity theft or other fraudulent misuses of information about you. Notably, watch for any unusual activity on your credit card accounts or suspicious items on your bills. You may wish to contact your credit card issuers and inform them of what has taken place. You may also wish to do the following:

  • Enroll in the credit monitoring service we are making available to you at no cost.
  • Under federal law, you are entitled to one free copy every 12 months of your credit report from each of the three major credit reporting companies. You may obtain a free copy of your credit report by going on the Internet to AnnualCreditReport.com or by calling 1-877-FACTACT (1-877-322-8228). If you would rather write, a request form is available on www.AnnualCreditReport.com. You may want to obtain copies of your credit reports to ensure the accuracy of the report information.
  • When you receive your credit reports, look them over carefully. Look for accounts that you did not open or inquiries from creditors that you did not initiate. Look for personal information that is not accurate. Even if you do not find suspicious activity on your initial credit reports, it is recommended that you check your credit reports every three months for the next year. Checking your reports periodically can help you spot problems and address them.
  • To further protect yourself, you may contact the fraud departments of the three major credit reporting companies. They will discuss your options with you. You have the right to ask that these companies place ”fraud alerts” in your file. A fraud alert can make it more difficult for someone to get credit in your name because it tells creditors to follow certain procedures to protect you. It also may delay your ability to obtain credit. You may place a fraud alert in your file by calling just one of the three nationwide credit reporting companies. As soon as that company processes your fraud alert, it will notify the other two credit reporting companies, which must then also place fraud alerts in your file. Contact information for the three major credit reporting companies is provided in the Customer Notification. 
  • Remove your name from mailing lists of pre-approved offers of credit for approximately six months by visiting www.optoutprescreen.com.;
  • Review all of your bank account statements frequently for checks, purchases or deductions not made by you;
  • If you suspect or know that you are the victim of identity theft, you should contact local police and you also can report this to the Fraud Department of the FTC;
  • To place a security freeze on your credit report, you will need to call all three credit bureaus (information listed below). Charges to place and/or remove a security freeze vary by state and credit agency.  To place a security freeze, contact:
  • Equifax 1-800-685-1111

https://www.freeze.equifax.com/Freeze/jsp/SFF_PersonalIDInfo.jsp

  • Experian 1-888-397-3742

http://www.experian.com/consumer/security_freeze.html

  • TransUnion 1-800-680-7289

http://www.transunion.com/personal-credit/credit-disputes/credit-freezes.page

WHAT SHOULD I DO IF I NOTICE ANY SUSPICIOUS ACTIVITY ON MY CREDIT REPORT OR MY BANK/CREDIT CARD STATEMENTS?

There are a few steps you must take. Call one of the 3 credit bureaus to:

  • Declare yourself an identity theft victim
  • Request a free credit report
  • Ask that a fraud alert be placed on your credit file
  • And, ask that bureau to contact the remaining 2 credit bureaus to request fraud alerts on your file.
  • Contact for the three major credit reporting companies is provided in the Customer Notification. 

While you may experience wait times of similar difficulties when contacting the credit bureaus, be persistent and begin monitoring your financial statements and contacting the institutions with suspected fraudulent activities.  You may want to visit each of the credit bureau’s websites to place fraud alerts on your accounts, but we recommend calling the toll-free number.

Second, filing a complaint with the police is required by many institutions to prove that your identity was stolen.  After filing the complaint, you should ask for a copy of the police report because you will need to attach this report to all written correspondence sent in your effort to resolve any fraudulent activities. Be polite, but persistent with the police because in many areas they are understaffed to deal efficiently with your identity theft.

WHAT SHOULD I DO IF THE LOCAL POLICE WILL NOT TAKE A REPORT FROM ME?

There are efforts at the federal, state and local level to ensure that local law enforcement agencies understand identity theft, its impact on victims, and the importance of taking a police report. However, we still hear that some departments are not taking reports. The following tips may help you to get a report if you’re having difficulties:

  • Furnish as much documentation as you can to prove your case. Debt collection
    letters, credit reports, and other evidence of fraudulent activity can help demonstrate the seriousness of your case.
  • Be persistent if local authorities tell you that they can’t take a report. Stress the
    importance of a police report; many creditors require one to resolve your dispute.
    Remind them that credit bureaus will automatically block the fraudulent accounts
    and bad debts from appearing on your credit report, but only if you can give them
    a copy of the police report.
  • If you’re told that identity theft is not a crime under your state law, ask to file a
    Miscellaneous Incident Report instead.
  • If you can’t get the local police to take a report, try your county police. If that
    doesn’t work, try your state police.
  • Some states require the police to take reports for identity theft. Check with the
    office of your State Attorney General to find out if your state has this law.LINK TO ALL STATE ATTORNEY GENERAL OFFICES:

http://www.privacycouncil.com/id_theft_resources.php

WHAT ARE TYPICAL THINGS THAT AN IDENTITY THIEF WOULD DO?

Identity thieves have been known to take a victim’s identity to obtain credit, credit cards from banks and retailers, steal money from existing accounts, apply for loans, rent an apartment, file bankruptcy or obtain medical services.

WHAT IS A FRAUD ALERT AND HOW LONG DOES IT LAST?

A Fraud Alert is a flag that the credit reporting agencies put in your file to instruct creditors to take extra precautions, such as additional verification of your identity when opening accounts or issuing credit.  An initial fraud alert lasts 90 days.   An extended alert lasts for 7 years.

 WHY SHOULD I SET A FRAUD ALERT WITH THE CREDIT BUREAUS?

This will prevent someone from opening new accounts in your name. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts as well. All three bureaus will place a message on your report that tells creditors to call you before opening any new accounts.

You will not be charged for this service. Please note, placing a fraud alert may delay your ability to open new lines of credit quickly. You should notify any new creditors with whom you have applied that you have a fraud alert placed.

WHEN A FRAUD ALERT HAS BEEN SET, WILL IT TRIGGER AN AUTOMATIC MAILING OF A CREDIT REPORT?

It is recommended that you request your free credit reports before setting a fraud alert.  If you do not, about one week after setting the fraud alert, you will receive confirmation letters from the credit bureaus. These letters will explain that you have to call each bureau and order your free report. They will provide the phone numbers you need to call.  Once you call and order, your report should arrive within 2 weeks in a plain, unmarked envelope. Be sure to examine it carefully.  You are entitled to one free copy for every 90 day alert period.

I ALREADY PLACED FRAUD ALERTS. CAN I PLACE THEM AGAIN?

The fraud alerts last 90 days and the system will let you know the alerts are already in place if you try to place them again before they expire. There is no penalty for doing this. You will NOT be notified when fraud alerts expire, so note the date and you can place them every 90 days for as long as you wish.

CREDIT REPORTS

HOW DO I GET A FREE COPY OF MY CREDIT REPORT?

Under federal law, you are entitled to one free copy of your credit report every twelve months from each of the three major credit reporting companies. You may obtain a free copy of your credit report by going on the internet to www.AnnualCreditReport.com or by calling 1-877-FACTACT (1-877-322-8228). If you would rather write, a request form is available on www.AnnualCreditReport.com. You may want to obtain copies of your credit reports to ensure the accuracy of the report information.

 WHAT DO I DO IF THERE IS INFORMATION ON MY CREDIT REPORT THAT IS OLD/INACCURATE?

Very often, a credit report will contain information that is a result of human error (typos, reporting errors or inaccuracies, outdated information). Sometimes, even social security number variations can appear. This is usually not identity theft, and it is up to the individual to dispute the incorrect information with the credit bureaus. Call the number provided on your report.

However, if you discover this information along with other evidence of fraud (new accounts, collections accounts that aren’t yours, etc.), you may be a victim of identity theft. It is best to begin by contacting the bureau to find out why/how the information is being reported. You can begin disputes with them. (See other FAQs below to get answers about disputing fraudulent accounts)

WHAT SHOULD I LOOK FOR ON A CREDIT REPORT TO INDICATE IDENTITY THEFT?

Accounts

Look for accounts you didn’t open and unexplained debts or authorized users that you didn’t authorize on your legitimate accounts.

Personal Information

Check to see if your personal information (your SSN; address(es); name and any
variations, including initials, Jr., Sr., etc.; telephone number(s); and employers) are correct. Inaccuracies in this information may also be due to typographical errors. If you believe that the inaccuracies are due to error, you should notify the credit bureaus by telephone and/or in writing to dispute the information.

Inquiries

Inquiries on credit reports from potential credit card issuers do not always mean that someone has tried to get credit in your name. Banks and credit card companies often inquire about a consumer’s creditworthiness to help them target their marketing efforts.

These inquiries will be identified in a designated section of the report and are described as “Inquiries that are viewed by others and don’t affect your credit score.” If you would not like your information to be used in this way, you can call 1-800-5 OPT OUT (1-800- 567-8688). You are automatically opted-out of data sharing when you place fraud alerts.

Inquiries that are described as displaying to others and affecting your credit score are the ones you need to be concerned with—these appear when someone has applied for credit in your name.

GENERAL CREDIT MONITORING QUESTIONS 

I KEEP SEEING “CREDIT MONITORING” OFFERED ON THE BUREAU’S WEBSITES. WHAT IS CREDIT MONITORING?

Monitoring your credit reports regularly is a helpful way to detect and prevent fraud. Credit monitoring assists you with this process. Each of the bureaus offers some kind of credit monitoring service that you can purchase. Remember, we will be making credit monitoring available to you at no cost. The enrollment process in described in the Customer Notification on the website.  The options are usually to monitor only one of your reports or all three. Some other Internet companies and financial institutions offer a monitoring service as well. We suggest you research the service and the company very well before purchasing the monitoring to ensure it is a reliable product.

The way monitoring works is that every week, you are informed of any changes to your credit report. You’ll be alerted to what’s happening with your credit by knowing about the following changes (all of which could indicate fraud):

  • New inquiries
  • New accounts opened in your name
  • Late payments
  • Improvements in your report
  • Bankruptcies and other public records
  • New addresses
  • New employers

SHOULD I BUY CREDIT MONITORING?

That is a decision that we recommend each person make for herself/himself. Please note, however, Avanti is making available a monitoring service for you at no cost. The enrollment process in described in the Customer Notification on the website.

CAN YOU ENROLL ME IN CREDIT MONITORING?

No, we cannot. This is something you will have to do individually.

IF I CHOOSE TO PURCHASE CREDIT MONITORING AND REPAIR SERVICES, WILL YOU REIMBURSE ME?

No.  We will be contracting with a trusted vendor to provide monitoring services at no cost to you and will not reimburse for services that may have been independently purchased.

Author: Staff Writer

Craig Keefner -- With over 40 years in the industry and technology, Craig is widely considered to be an expert in the field. Major early career kiosk projects include Verizon Bill Pay kiosk and hundreds of others. Craig helped start kioskmarketplace and formed the KMA. Note the point of view here is not necessarily the stance of the Kiosk Association or kma.global