.png)
More than 1,000 U.S. retailers could be infected with
malicious software lurking in their cash register computers, allowing hackers
to steal customer financial data, the Homeland Security Department said Friday.
The government urged businesses of all sizes to scan their
point-of-sale systems for software known as "Backoff," discovered
last October. It previously explained in detail how the software operates and
how retailers could find and remove it.
Earlier this month, United Parcel Service said it found
infected computers in 51 stores. UPS said it was not aware of any fraud that
resulted from the infection but said hackers may have taken customers' names,
addresses, email addresses and payment card information.
The company apologized to customers and offered free identity
protection and credit monitoring services to those who had shopped in those 51
stores.
Backoff was discovered in October, but according to the
Homeland Security Department the software wasn't flagged by antivirus programs
until this month.
Jerome Segura, a senior security researcher at cyber-security
software firm Malware Bytes, said that the way that Backoff works is not
unique. The program gains access to companies' computers by finding insufficiently
protected remote access points and duping computer users to download malware,
tricks that have long been in use and are often automated.
What has changed, Segura said, is that the hackers deploying
it have become increasingly sophisticated about identifying high-value computer
systems after they've broken into them.
"Once the bad guys realized they were able to penetrate
larger networks, they saw the opportunity to develop malware that's
specifically for credit cards and can evade antivirus programs," he said.
By using Backoff selectively, rather than distributing it
widely on the Internet, the hackers likely managed to escape detection for
longer. Following Homeland Security's warnings in July, however, companies are
much better able to probe their own computers for Backoff.
The battle between retailers and hackers is an ongoing one.
Retail giant Target, based in Minneapolis, was targeted by hackers last year
and disclosed in December that a data breach compromised 40 million credit and
debit card accounts between Nov. 27 and Dec. 15. On Jan. 10, it said hackers
stole personal information - including names, phone numbers and email and
mailing addresses - from as many as 70 million customers.
Target, the third-largest retailer, has been overhauling its
security department and systems in the wake of the pre-Christmas data breach,
which hurt profits, sales and its reputation among shoppers worried about the
security of their personal data. Target is now accelerating its $100 million
plan to roll out chip-based credit card technology in all of its nearly 1,800
stores.
So-called chip and pin technology would allow for more secure
transactions than the magnetic strip cards that most Americans use now. The
technology has already been adopted in Europe and elsewhere.
Though improving card technology and updating malware
detection will help retailers defend themselves, Segura said that the recent
profusion of computer breaches should make companies think harder about how
they use remote access systems for employees and vendors. By limiting what
portions of their systems can be accessed remotely, he said, companies can
limit the damage that hackers can do.
"This past year and a half has been breach after
breach," he said. "It's incredible."
No comments:
Post a Comment