Just a few weeks ago the Department of Homeland Security issued a warning to retailers about Backoff, the point-of-sale malware responsible for the massive payment card security breach at Target during last year’s holiday season. The initial report indicated up to 600 retailers were affected, but on August 22nd the DHS issued another advisory that stated the scale is much larger. The Secret Service estimated over 1,000 businesses of all sizes have been victimized by variants of Backoff.
The days of the simple mechanical cash register are long gone for all but the smallest retailers. The registers most retailers use are actually Windows computers running point-of-sale (POS) software. They are networked and connected to the Internet so they can verify payment cards and checks. Like any computer, they are vulnerable to attack by malicious software and hackers.
The Backoff malware takes advantage of a vulnerability in the process used to read and validate payment cards. The customer’s information is stored in unencrypted format on a magnetic strip on the back of the card. When a customer swipes their card at checkout, the card reader transmits the data to the computer. The POS software will then encrypt the information and send it to the payment card processing company for verification.
Backoff can read the POS computer’s physical memory and record the payment card data before it is encrypted. It uses its own encryption on the data and sends it to servers the hackers can access. The hackers either sell the data to other criminals through black market channels or use it to make purchases themselves.
Moving Payment Cards Forward
There is little consumers can do to protect themselves at the moment except pay with cash or checks. These payment methods are more costly for retailers to handle and come with their own complications.
The only solution is to move away from magnetic strip cards and toward other methods of payment. Companies are experimenting with digital wallets and other smartphone-based payment systems, but they have yet to see widespread acceptance.
The system that’s most like the payment cards consumers are already familiar with is the Europay-Mastercard-Visa system, or EMV. It uses the same plastic cards, except the payment data is encrypted and stored on a microchip. The credit card industry has set a deadline for retailers to move to EMV cards by the end of 2015, but the equipment required is expensive. A retailer could pay up to $1,000 per register, leading many to drag their feet due to the cost.
The cost of a security breach is much higher. Target estimated costs associated with the breach had reached $148 million in the second quarter of 2014. The cost of the damage to the company’s reputation, brand and corporate image is harder to calculate. Unless more retailers want to follow in Target’s footsteps, they must leave magnetic payment cards behind.
Follow every major phase of the Target retail security breach along with my insights. Download my RETAIL SECTOR PDF for all the major retail security stories in 2013 and 2014.