back to article Big Red alert: Oracle's MICROS payment terminal biz hacked

Hackers infected hundreds of computers within Oracle, infiltrated the support portal for its MICROS payment terminals division, and potentially accessed sales registers all over the world. The miscreants installed malware on the troubleshooting portal to capture customers' usernames and passwords as they logged in. These …

  1. Sebastian A

    Old-fashioned physical crime just doesn't compare anymore to these digital shenanigans. Why skim a card at an ATM when you can just compromise a payment system at its global root and effectively skim a million cards? It's staggering.

    1. ecofeco Silver badge

      Burning Chrome.

    2. Bob Vistakin
      Facepalm

      Yup, and these assholes can't be that much of an Oracle if they couldn't even see this coming.

  2. Anonymous Coward
    Facepalm

    MICROS payment terminals hacked

    Are you sure it wasn't MICROS~1 computers that were infected. "Oracle Security has detected and addressed malicious code" Oh jezus god, is this the state of 'computer' security in late 2016. Wait until they start to put this kind of software in our Flying Spinners.

    1. bazza Silver badge

      Re: MICROS payment terminals hacked

      Oh jezus god, is this the state of 'computer' security in late 2016?

      I'm afraid so, and these kind of events will never ever quite go away. Not whilst there is no reliable way for a computer to establish the identity of a human user. We have user names and passwords, biometrics, swipe cards, etc, but all of these have flaws that can and will be exploited.

      It's not helped either by too many systems being connected to the public Internet when there is no true need for it. A till in a shop does not absolutely need to be connected to the Internet, and neither does the company network behind it. Connecting it to the Internet seems cheaper than having a private WAN right up until your entire business is hacked to smithereens.

      1. Peter Gathercole Silver badge

        Re: MICROS payment terminals hacked @bazza

        Unfortunately, many small-business merchant services do use the Internet as a communication path (small shops don't want the cost of a separate communication infrastructure, and dial-up is becoming history), either via *DSL lines or mobile, and this means that the central servers for the merchant systems must also be connected to the Internet.

        One hopes that they establish secure VPNs for the actual transmission of the transaction details, and that the central servers are properly secured, but I'm afraid with the advent of payment services run via mobile phones, like PayPal and others are doing, it could be the security of the mobile phone and attached card devices that will become the attack target,

  3. Anonymous Coward
    Trollface

    Are you sure?

    Because I'm under the strong impression that Oracle has no clue what so ever as to what micro payment actually is, especially when thinking back at how previous Sun licenses all tripled in price after the take-over.

  4. Baldy50

    Oracle

    Think they need a few working/advising them.

  5. Anonymous Coward
    Anonymous Coward

    Interestingly in October 2010 many Micros customers received an e-mail that tried to get them to open a Word document relating to Micros products.

    Just a normal phishing attack, however it seemed to be very targeted. Every person in our organisation that had dealings with Micros received the e-mail, those that hadn't didn't.

    Got the usual - no breach, just a simple random phishing attack, which I didn't believe and contacted our account manager. I asked how it was so targeted towards users of their system, how it was global etc. They said there was no breach and that only a small number (yawn) of their customers had received it.

    I was convinced it was something to do with the support portal but they said it wasn't.

    I bet this is related and this breach has been ongoing since at least before that time.

  6. roselan

    True Social Justice

    The robbers have been robbed!

  7. bpfh
    Joke

    POS Terminals

    That term always made me smile, even after I learned that it actuallly meant "point of sale" :D

  8. Anonymous Coward
    Anonymous Coward

    Unbreakable Oracle

    Yet again, more evidence their marketing slogan is bullshit. ;)

    1. Captain Scarlet

      I think it refers to the Iron Clad contracts their customers have to sign

  9. Victor Ludorum

    This might explain it

    I have had the occasional attempt to log in to my VPN using various micros related usernames - microsuser, micros, microsadmin to name but a few. They have usually come from China, Hungary and (apparently) Virginia, USA.

  10. Aodhhan

    Another Oracle failure

    Oracle has been in charge of this company long enough to be held responsible for this.

    It's just another in a line of failures for Oracle. A company who states they prize security, yet continue to have problems which shouldn't happen.

    When failures happen with this frequency and magnitude you cannot blame coding or personnel; you must point the finger directly to management and policy.

    We stopped using Oracle products nearly two years ago. It makes me shake my head whenever I see an organization using Oracle applications of any kind.

    When I notice an organization using any Oracle product, it makes me wonder just how competent the CIO and information security management team is.

    1. Down not across

      Re: Another Oracle failure

      When I notice an organization using any Oracle product, it makes me wonder just how competent the CIO and information security management team is.

      Information security managment team may not have any say as to which products are used. You also refer to the C-suite's role and competence in product selection, and I couldn't possibly comment on that.

  11. Anonymous Coward
    Anonymous Coward

    Micros Hacked

    Every Micros terminal I have seen is not capable of reading the new encrypted transaction chipped credit cards. No wonder they got hacked.

    1. Anonymous Coward
      Anonymous Coward

      Re: Micros Hacked

      Do you kust mean Chip and Pin? If so other countries have used this for tens of years and have Micros Terminals which all read them. The thing is with C&P the POS doesn't read it directly you use a C&P reader from Ingenico, Verifone etc and the Till communicates with that via your PSP.

      You would never want a POS to have a C&P built in as it would be a secuirty nightmare and very unlikely to get PCI certification, so would be useless.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like