Remote Access Vulnerabilities and “Backoff” PoS Malware to Lead to Potential Next Wave of Target-Style Attacks this Holiday Season
Data breaches, identity theft and stolen payment card credentials are the gifts that keep on giving (or taking, depending on your perspective), just ask any of the 100+ million consumers caught up in the wave of security breaches and Point of Sale (POS)
malware attacks perpetrated against retailers including Target, eBay, Neiman Marcus, Michael Stores, and more late last year. As we enter fall and look ahead to this coming holiday season,
a new advisory issued by US-CERT, the United States Computer Emergency Readiness Team, provides reason to be concerned that we could again see another holiday season rife with cybercrime.
In the wake of the Target breach and subsequent investigations at numerous retailers, the new US-Cert report reveals potential risks posed by remote desktop applications and weak authentication schemes (poor password policies) – critical contributing factors
in the Target breach. The report also examines the rise of new POS malware dubbed “Backoff” which has proven difficult to detect with current anti-virus security software. Together, these two developments mean that retailers and millions of consumers are at
risk of having their data - names, mailing addresses, credit/debit card numbers, phone numbers, and e-mail addresses - exposed to “criminal elements.” So before we go through another holiday from cyber-hell, what can be done?
Drawing upon more than 25 years of personal experience in the payment industry, working with banks, financial institutions and government agencies on all matters pertaining to payment transaction security and fraud prevention, the answer remains clear –
the industry must realize that a “one size fits all” security-only approach to preventing cybercrime is doomed to fail. What is needed is a logical approach to not only protecting data access, but ensuring that any stolen data is rendered useless to crooks,
something that can only be accomplished through enhanced multi-layer, multifactor authentication. The challenge we face as an industry is the how we approach the balancing act between security and consumer convenience for as we have seen, even the adoption
of new security approaches to protecting payment cards with
schemes such as Chip and Pin (EMV) and
even biometrics are not without potential problems.
Whilst we must all continue to assess the ever changing threat landscape and ensure we are all informed about the threat reports coming from US-CERT and other industry groups, we can’t forget that at all times, we need to work together to ensure that we
and our customers are protected. The reality is that the industry needs to move forward and adopt a risk adjusted approach to authentication and transaction verification. It’s clear that the primary goal remains “zero friction” and adopting a multi-layer,
multifactor approach to fraud detection and prevention can help achieve a “low friction” intuitive interaction with the customer when fraud is suspected or the risk profile of the transaction dictates. Such technology exists today and can help revolutionize
a payments world littered with false-positives, abandoned shopping-carts, poor customer experience and high fraud rates. The growing awareness by consumers of such technology should unite them to urge their banks and credit card companies to implement that
technology for their protection. It’s just push and pull, isn’t it?
The advent of EMV in the US will create a complex transitional landscape over several years where Card Present fraud will continue to flourish and where Card Not Present fraud (online) will grow. Trust will be severely questioned. Time now for new mindsets,
time is now for action, otherwise it is only the cybercrooks that will get gifts this holiday season!