Backoff is back. The POS malware the U.S. government warned retailers about on July 31st has made its appearance among an estimated 1,000 U.S. businesses. Clearly there is no end in sight to the rash of data breaches. Our thought: If we encrypt cardholder data with a P2PE solution, so that no card data is in clear-text in any part of the merchant’s system, we significantly cut down on the value of breaking into these POS systems in the first place.
On July 31st, the USSS, NCCIC/US-CERT and Trustwave Spiderlabs issued an alert about the then newly identified malware dubbed “Backoff”, associated with several PoS data breach investigations. And on Friday, a second advisory was issued estimating that 1,000 U.S. businesses are affected, with 7 POS systems/providers already confirming they have had multiple clients affected.
While the NCCIC hasn’t published the names of the companies that have indicated infections with Backoff malware, some have voluntarily admitted to having compromised systems. That includes UPS and Supervalu, according to The New York Times.
So how does backoff work? Per the NY Times:
- “According to the Secret Service, criminals are actively scanning corporate systems for remote access opportunities — a vendor with remote access to a company’s systems, for example, or employees with the ability to work remotely — and then deploying computers to guess user names and passwords at high speeds until they find a working combination.
The hackers use those footholds to crawl through corporate networks until they gain access to the in-store cash register systems. From there, criminals collect payment card data off the cash register systems and send it back to their servers abroad.”
As we discussed in our blog on Thursday, EMV seems to be the only “solution” on the horizon that retailers and banks will adopt on a widespread basis (primarily because they will be required to). But EMV does nothing to encrypt cardholder data – it protects the card itself and the consumer. Fraudsters are taking card data that EXISTS somewhere in the merchant’s system, whether it’s the swipe device, or the cash register, or a network. Until that data is rendered useless because it is encrypted and doesn’t exist in the clear – we can expect these breaches to keep happening. Groundhog Day, take 1,000.