Malware used to be the concern of every Internet surfer in the past few decades. Now, however, it is major corporations that are on the frontline of the war against malicious software. In fact, many of the most recent data breaches – such as those at Target, The Home Depot, Neiman Marcus and other retailers – were a result of malware, according to the Krebs on Security blog. Malicious programs find their way onto point-of-sale terminal computers and steal data on the magnetic strip commonly found on debit and credit cards. Cybercriminals then take that information and use it to create counterfeit cards or purchase items from online stores.
The problem has become so big that the United States Secret Service issued an advisory stating that “Backoff,” a strain of PoS malware, has been the bane of over 1,000 retailers and other companies since October 2013. Last year seemed to be when all of these businesses discovered that their systems have been infected for at least 12 months. Now, another organization has experienced a similar data breach.
“Chick-fil-A fast food restaurants are the common thread in a pattern of credit card fraud with all signs pointing to ‘Backoff’ POS malware.”
Another one bites the dust
According to the Krebs on Security blog, sources at several U.S. financial institutions told the security investigation website that Chick-fil-A fast food restaurants are the common thread in a pattern of credit card fraud. Since November 2014, the blog heard rumors of a data breach, but now it is clear that major credit card associations have issued an alert to financial institutions – and, therefore, consumers – that an event occurred between Dec. 2, 2013, and Sept. 30 2014. All signs point to “Backoff.”
The fraud cases, despite impacting Chick-fil-A locations across the country, seems to be concentrated to states in the south and mid-Atlantic, specifically Georgia, Maryland, Pennsylvania, Virginia and Texas. Furthermore, almost 9,000 credit cards were listed in the alert, which does not bode well for Chick-fil-A in regard to the size of the breach.
“It’s crazy because 9,000 customer cards is more than the total number of cards we had impacted in the Target breach,” a banking source told Krebs on Security under the condition of anonymity.
According to Forbes, the Target data breach ended up costing shareholders around $148 million, meaning that Chick-fil-A might find itself in a similar situation of combating fraud and a loss of customers by throwing money at the problem.
The dangers of POS malware have made themselves present at a fairly convenient time, as EMV debit and credit cards are on the horizon for 2015. Pymnts.com reported that over a half-billion of these new payment cards embedded with computer chips will hit the U.S. market this year. EMV transactions are popular in Europe, but soon Americans can experience the benefits of having their banking and credit information encrypted by means of tokenization. However, in light of recent events and facts, EMV cards just do not seem like they will be a saving grace in 2015.
Many new sources such as Pymnts.com agree that EMV adoption will not be the be-all and end-all of data breaches and payment card fraud. There are actually three specific reasons why secure payment processing will still be required and expected.
For one, a lot of organizations need better security to begin with. It will not matter how secure their current payment processing method is if cybercriminals still possess the capability of infiltrating other internal IT systems besides POS terminals. Right now, security is all about protecting the POS, and many attempts to deter data breaches are unsuccessful. This means that retailers will really need to step it up in order to safeguard all information.
Secondly, Pymnts.com reported that chip and signature payment processes will be common. According to the source, J.P. Morgan Chase will issue “chip and sig” cards along with other financial institutions. Merril Halpern, assistant vice president of card services at United Nations Federal Credit Union, thinks that is a bad idea.
“We should be doing the most we can to fight fraud, and the only way to send that message is to stand clearly behind Chip and PIN,” Halpern explained to Pymnts.com.
Third and finally, e-commerce retailers are not prepared. If experts are correct about card not present fraud becoming more common after EMV adoption, online stores will need to invest heavily into new methods of paying online. However, the process of verifying cardholders needs to be frictionless as well as secure if e-commerce retailers hope to stand a chance against brick-and-mortar stores. Consumers are becoming smarter, and all of the online commerce can simply go away if they do not feel safe.
Even if retailers implement new payment processing methods for EMV, they will still need to buckle down on security to protect consumers’ data. Still, with the current state of POS and e-commerce taken into consideration, many stores will be fighting an uphill battle that calls for the best defenses.
Can you afford to NOT prevent a data breach?