A new Department of Homeland Security report due out today confirms that the Target credit card scanner hack from this past winter was much broader than originally thought. The New York Times says that same hack is affecting more than 1,000 U.S. businesses.
The Homeland Security report says that the malware could be hiding undetected on the in-store cash register systems of the affected businesses. The malicious software, named "Backoff," lets criminals scrape credit and debit card data from businesses' cash register systems, to be traded on the black market. Unless they've actively gone looking for the malware, companies (and consumers) are unaware that anything's going on.
The Secret Service and Homeland Security say the malware found its way into so many businesses the same way it did with Target: By finding vulnerabilities in remote-access systems used by contractors or employees to log into a business's central system. Once inside, the malware brute-force guesses passwords until it's inside the payment software.
Homeland Security alerted businesses to their vulnerability on July 31st. Seven companies, including UPS, have come forward publicly to announce that they've been hacked.
In its report on the hack, the New York Times doesn't mince words:
The attacks are much more pervasive than previously reported, and hackers are pilfering the data of millions of payment cards from American consumers without companies knowing about it, according to a new Department of Homeland Security advisory released Friday afternoon.
Despite the difficulty in detecting Backoff, the safeguards that DHS and the Secret Service recommend to companies are very straightforward: Partition cash register systems away from the rest of the company network, and require two-factor authentication for remote users or subcontractors. Why haven't these companies been doing this already?
Now would probably be a good time to take a close look at your credit or debit card statements. [The New York Times]
Image: Shutterstock / Photobac