A remote-access attack that compromised a parking facility provider with locations in Illinois, Pennsylvania, Ohio and Washington highlights how commonly used point-of-sale terminal and software brands are increasingly being exploited by hackers.

Like many other remote-access POS intrusions suffered by U.S. merchants in 2014, the breach at SP+, formerly Standard Parking Corp., will likely be traced to either weak remote-access log-in credentials or a common POS software vulnerability that hackers discovered through attacks waged against other merchants that use the same POS system, some security experts say.

"In 2014, we've seen a greater concentration in the exploitation of remote-access software," says John Buzzard, who heads up FICO's Card Alert Service. "And we find this to be the case for two reasons. If you're a hacker and you can just tunnel into the IP address, what's the first thing you do? You try 'admin' as the login and '1234' as the password."

Those remote-access credentials work about 10 percent of the time, Buzzard contends. But what's most concerning, he says, is that more than one merchant typically uses the same POS software and system with the same access credentials.

SP+ Breach Details

At this point, SP+ claims it doesn't know how many payment cards may have been exposed in the breach. And SP+ declined to share details about its breach beyond those noted in its Nov. 28 announcement, which does not include the name of the POS system vendor or the device hardware brand.

The statement also does not name the remote-access service SP+ uses, nor does it name the company's payments processor, which it says has been notified of the breach.

The statement does, however, list 17 locations in Chicago; Evanston, Ill.; Cleveland; Philadelphia and Seattle that were targeted, with some of the card compromises dating back as far as April 14. SP+ also notes that it was notified of the breach by its POS system vendor, which maintains payments systems used in "some" of its parking facilities.

"An unauthorized person used that company's remote-access tool to connect to computers that process payment cards in a limited number of those facilities," SP+ says. "Upon learning this, SP+ immediately launched an investigation and engaged a leading computer forensics firm to examine the payment systems in the parking facilities."

Using the remote-access tool, the hacker installed malware that searched for payment card data that was routed through computers used by SP+ to accept payments at certain parking facilities, the company says. "The information from payment cards that may have been captured by the malware is the cardholder's name, card number, expiration date, and verification code," SP+ notes.

The last known card exposure dates back to Nov. 4, SP+ says. Since then, the malware has been disabled on all affected servers, "and SP+ has required that the vendor convert to the use of two-factor authentication for remote access," the company adds. "SP+ is working with the computer security firm to implement additional enhanced security measures."

Whether other merchants serviced by this same POS vendor also were impacted remains unknown. But Buzzard says it's likely SP+ is not the only victim.

Buzzard says hackers check out POS vendors' websites to see all of the customers they serve. "They are looking for that thread - to see if it's widely accepted software," he says.

And once the attackers find a common thread, they exploit it, says Christopher Budd, global threat communications manager at security firm Trend Micro. "The specific tactic they use to compromise that system will vary," Budd says. "The attackers will find what works to get in and use it over and over again."

Other Breaches