Retailers Attacked by POS Malware

Remote Software Vulnerability Exploited, Cards Compromised
Retailers Attacked by POS Malware

A point-of-sale-software vulnerability is to blame for a malware attack that exposed hundreds of debit and credit accounts in and around Louisville, Ky., says one affected card issuer.

See Also: Understanding the Opportunities and Threats in Mobile Banking

Area card issuers have tied fraudulent transactions back to a number of merchants that have one thing in common - the same POS-system remote-access software. And although fraudulent transactions so far have only been linked to accounts in Kentucky, the malware has likely affected POS networks and systems in other states as well, says Marjorie Meadors, assistant vice president and head of card fraud prevention for Louisville-based Republic Bank & Trust.

Now the U.S. Secret Service and banking institutions are working to pinpoint the merchant points of compromise to contain the attack that could date back to February, she says.

At first, issuers thought the attack had involved a processor, Meadors says. But a deeper dive revealed it was actually a POS network attack that exploited a security flaw in remote-access software. "A local reseller provided the software that stores use in their card-reading devices to transfer data to Visa and MasterCard," she explains.

Meadors would not name the local reseller or the merchants so far identified as being attacked. The incident is still under investigation by the Kentucky Electronic Crimes Task Force, which is part of the Secret Service, she says.

But Meadors points out that the malware had been discovered on some of the compromised terminals, so that means retailers in other regions may have been affected.

"I've talked with eight institutions myself, but I'm going to say there have probably been dozens in this area that were affected," Meador says. "I'm sure there are merchants in other states using this same remote software, too."

MasterCard and Visa Affected

The attack does not appear to have affected PIN-debit transactions, a source who monitors card fraud, who asked not be named, tells BankInfoSecurity. But it has likely impacted a number of card brands, including MasterCard and Visa, that source says.

That jibes with the fraudulent transactions and attempted transactions noted by Republic Bank and Louisville-based Park Community Federal Credit Union, another affected issuer.

On April 2, Park Community posted a fraud alert on its website, notifying members of a possible compromise that could have affected a significant number of cardholders in the region.

"Financial institutions in the Louisville area are currently experiencing high volumes of debit card fraud," the credit union states. "All Park Community debit cards are protected by FraudWatch Plus, a 24/7 fraud monitoring service that detects unusual spending patterns."

An e-branch service representative at Park Community tells BankInfoSecurity that MasterCard notified the credit union about potentially compromised accounts. "As far as who it was or how it happened, we don't know," the service rep says of the attack and points of compromise. "We did see some cards affected by fraud, and our members notified us of some fraudulent transactions; but we blocked all of those cards on Monday [April 1] and have not seen any more activity since then."

Both Republic and Park Community were notified by cardholders of fraudulent transactions, but internal detection and monitoring systems also detected and stopped several fraudulent transactions before they were approved, both institutions report.

"In many cases, we knew before our members," Park Community's customer service rep says. And Meadors says several hundred Republic customers have notified the bank about fraudulent transactions as well.

"We heard from customers and our systems picked some of it up," Meadors says.

Many more potentially fraudulent transactions were caught and stopped, including attempted transactions at retail locations in states such as California, she adds.

Affected merchants have been contacted by the Secret Service, and their POS systems have been upgraded to prevent any more cards from being compromised, Meadors says.

The breach is the largest attack on credit and debit cards Meadors has seen during her 30-year career. "It's really going to affect more of our customers than any other breach we've had locally," she says. "We're looking at several hundred of our customers now, and some of the banks I've talked to have hundreds of customers affected as well."

Remote Software to Blame

Like the malware attack that targeted more than 150 Subway restaurant franchises and other merchants between 2008 and 2011, this latest attack exploited a remote software weakness that should have been patched, Meadors says.

The problem: Merchants are often not aware of software updates when they are issued, she says.

Nick Percoco, senior vice president at Trustwave, which conducts forensic investigations, says remote software vulnerabilities are one of the greatest threats merchants face. "We do see remote access comprising a very high percentage of the ways of how these attackers are getting in," he says. In fact, 47 percent of the merchant and processor attacks Trustwave investigated in 2012 were linked to a remote-access vulnerability, Percoco says.

"What we've seen happen on at least two other occasions is that the software company puts out an alert about an upgrade or patch that is needed. But the reseller does not pass along the information to the merchants," Meadors says. "We think that's what happened here."

Meadors contends that because merchants are not security specialists, more accountability should be placed on software resellers to ensure needed upgrades are made. "The merchants were not at fault here, nor were the banks," she says. "It's an ongoing problem with the software companies, and it needs to be addressed."

In the meantime, Meadors says anti-fraud groups, such as the International Association of Financial Crimes Investigators, are making strides in educating merchants and banking institutions about card-fraud detection and prevention. But getting the word out is always a challenge.

"The banks take the losses - the [card] issuers. And MasterCard and Visa will ultimately fine the acquiring banks, and then those fines will get passed on to the merchant," Meadors explains. "But the ones who should be fined are the software providers. They're not losing the money, so it's not a big problem for them."

Other Retail Breaches

Other retail breaches have grabbed headlines in recent months.

In March, the St. Louis-based Schnucks grocery store chain announced it was investigating a possible breach of debit and credit card data. The retailer in April said "malicious computer code" had captured details from a yet-to-be-determined number of credit and debit cards (see Retailer Says 'Code' Compromised Cards).

Customer complaints prompted an investigation into a possible compromise and attack, according to a March 26 statement from Schnuck Markets Inc. The company operates 101 stores in five states.

"Schnucks became aware on March 15 that some customers had noticed unauthorized charges on their card statements for credit cards they used at Schnucks," according to the statement. "Schnucks immediately began to investigate these reports and has engaged outside experts, including a nationally recognized forensic firm, to assist. We are also cooperating with law enforcement authorities."

In February, Bashas' Family of Stores confirmed a breach of its corporate network, which connects 130 locations operating under the Bashas' supermarkets, AJ's and Food City brands. The retailer said it had discovered a never-seen-before malware on its network, which allowed attackers to gain access to internal systems and capture sensitive payment information.

In January, the Zaxby's restaurant chain notified federal authorities of a computer system and point-of-sale breach that had affected 108 locations in Florida, Kentucky, Georgia, South Carolina, Alabama, Mississippi, Tennessee, North Carolina, Virginia and Arkansas. While the source of the breach was not disclosed, Zaxby's Franchising Inc. noted that malware and other suspicious files had been found on compromised computer systems at certain locations.

In October 2012, Barnes & Noble Booksellers confirmed a breach that affected 63 of its locations, from California to Rhode Island. Although Barnes & Noble did not say when it discovered its breach, it confirmed that it had determined through an internal investigation that the compromise was linked to device tampering at stores in California, Connecticut, Florida, Illinois, Maine, New Jersey, New York, Pennsylvania and Rhode Island.

Card issuers are often the first to identify fraud patterns when retailers are breached, as the POS breach at Michaels crafts stores proved in late 2010, experts said at the time. They also are the ones left dealing with the repercussions of subsequent fraud.

About the Author

Tracy Kitten

Tracy Kitten

Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as the Executive Editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by, ABC News, and MSN Money.

Around the Network