Retailers warned to act now to protect against Backoff malware

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.pcadvisor.co.uk/news/security/3541703/retailers-warned-to-act-now-to-protect-against-backoff-malware/?zk=small-business

The Payment Card Industry Security Standards Council on Wednesday issued a
bulletin urging retailers to immediately review their security controls to
ensure point-of-sale systems are protected against "Backoff," a malware
tool that was used in the massive data theft at retailer Target last year.

The bulletin instructed all covered entities to update their antivirus
suites and to change default and staff passwords controlling access to key
payment systems and applications.

The council, which is responsible for administering the PCI security
standard, also urged merchants to inspect system logs for strange or
unexplained activity, especially those involving transfers of large data
sets to unknown locations.

"The PCI Council additionally recommends that merchants consider
implementing PCI-approved point-of-interaction (POI) devices," for
encrypting credit and debit card data as the card is swiped or dipped into
a payment terminal. Merchants should also consider deploying point-to-point
encryption technologies to ensure that card data remains protected until
received by a secure decryption facility, the advisory noted.

Companies that have been compromised by Backoff should notify their banks
immediately, the council stated.

The bulletin reflects the growing concerns within the payment industry over
Backoff, a malware tool used by malicious hackers to steal payment card
data from point-of-sale systems.

The malware was released last October but remained undetected by antivirus
tools until this month.

The U.S. Department of Homeland Security and the U.S. Secret Service
believe that Backoff has already infected PoS systems at more than 1,000
small, medium and large businesses, including Target and Neiman Marcus.
More than 40 million payment cards were compromised in the Target breach
alone while the Nieman Marcus compromise exposed data on some 1.1 million
cards.

In a bulletin issued last week, the DHS and Secret Service said they had
responded to "numerous incidents" over the past year involving Backoff. So
far, seven vendors of point-of-sale systems have confirmed that multiple
clients were affected by the malware, the bulletin said.

Last week's bulletin was a follow-up to one released by the DHS and Secret
Service in Julywarning businesses about Backoff's use in targeted attacks
against U.S. retailers. The bulletin warned of attackers taking advantage
of hackers exploiting commonly used enterprise remote access tools to break
into retail point-of-sale (POS) systems and plant the Backoff malware.

The PCI bulletin appears to have been sparked by news that the malware is
much more widespread than had been previously assumed, said James Huguelet,
an independent PCI security consultant.

All of the steps outlined in the PCI council bulletin are standard
measures, Huguelet said. "But sometimes it takes a wake-up call such as
this to remind everyone in the payment-processing chain of how important
they really are."

What's interesting about the bulletin is the council's specific mention of
end-to-end encryption of payment card data, Huguelet said.

"Mandating [end-to-end] encryption would completely eliminate the threat
posed by Backoff within the payment processing chain," but so far the
council has not taken that step, he said.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!