Some weeks ago, we wrote a piece "What You Need to Know About Backoff Malware: The New Threat Targeting Retailers" . It's apparently gotten worse. Any business utilizing point-of-sale (POS) terminals for "swiping" credit cards needs to pay attention to this threat and assess vulnerability. Hospitals, physicians' offices, veterinary clinics, colleges and universities, municipalities — everyone — not just retailers. Read on.
Since our piece was published, it has become known that the Backoff malware or one of its multiple variants has been responsible for over 1,000 breaches of credit card information, including the Target mega-breach and two of the most recent, Supervalu and United Parcel Service. In fact, the fear is that is it so widespread, that the Department of Homeland Security and the US Secret Service issued a warning to retailers — regardless of size — to check their POS systems.
Now the Payment Card Industry (PCI) Council has weighed in with
a statement strongly urging companies — "as a matter of
urgency" — to take steps to examine POS systems.
Retailers should ensure that they have the most up to date versions
of antivirus software installed to detect "Backoff" and
run the solution immediately. If you rely on service
providers, ask. Do not "rely" on the third party
service provider to manage without oversight. The PCI
Council also suggests that retailers review all system logs for
strange or unexplained activity, especially large data files being
sent to unknown locations. Requiring all default and staff
passwords on systems and applications to be updated and providing
good guidance on choosing a secure password set to current
standards are also recommended. The key message
here is that merchants should be taking charge —
remember: you can outsource the process or the support
functions, but you cannot outsource the liability. Retailers
— or any entities accepting credit cards — are the
"merchant of record" and the last line of defense between
the hacker and the customer's credit card.
According to the PCI Council statement: "Attacks of this kind
underscore the critical importance of a multi-layered approach to
payment card security that addresses people, process and
technology," said the council in a statement. "PCI
Standards provide layers of defense to ensure businesses can
prevent, defend and detect attacks on their systems. A daily
coordinated focus on maintaining these controls—making
payment card security a business as usual practice—provides a
strong defense against data compromise."
Regarding malware specifically, organizations should review the following security risk mitigating control areas outlined in PCI Data Security Standard (PCI DSS) 3.0:
Proper firewall configuration – Requirement 1
Changing vendor defaults and passwords on devices and systems – Requirement 2
Regularly updating anti-virus protections – Requirement 5
Patching systems – Requirement 6
Limiting access and privileges to systems – Requirements 7, 9
Requiring 2-factor authentication and complex passwords – Requirement 8
Inspection of POS devices – Requirement 9
Monitoring systems to allow for quick detection – Requirements 10, 11
Implementing sound security policies for preventing intrusions that may allow malware to be injected – Requirement 12
PCI DSS standards provide layers of defense to ensure businesses can prevent, defend and detect attacks on their systems. The PCI Council advises that daily coordinated focus on maintaining these controls, making payment card security a business as usual practice — provides a strong defense against data compromise.
Reliance on and managing third party provider access remains a challenge for organizations, stated the Council. Merchants should reference guidance recently published by the PCI Council's Special Interest Group which outlines a plan for managing risk and securing data — in advance of a liability shift which comes into play next year. Find discussion of that report here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.