Retailers warned to act now to protect against Backoff malware

The Payment Card Industry Security Standards Council issued a bulletin urging retailers to immediately review their security controls to ensure point-of-sale systems are protected against "Backoff," a malware tool that was used in the massive data theft at retailer Target last year.

The Payment Card Industry Security Standards Council on Wednesday issued a bulletin urging retailers to immediately review their security controls to ensure point-of-sale systems are protected against "Backoff," a malware tool that was used in the massive data theft at retailer Target last year.

The bulletin instructed all covered entities to update their antivirus suites and to change default and staff passwords controlling access to key payment systems and applications.

The council, which is responsible for administering the PCI security standard, also urged merchants to inspect system logs for strange or unexplained activity, especially those involving transfers of large data sets to unknown locations.

"The PCI Council additionally recommends that merchants consider implementing PCI-approved point-of-interaction (POI) devices," for encrypting credit and debit card data as the card is swiped or dipped into a payment terminal. Merchants should also consider deploying point-to-point encryption technologies to ensure that card data remains protected until received by a secure decryption facility, the advisory noted.

Companies that have been compromised by Backoff should notify their banks immediately, the council stated.

The bulletin reflects the growing concerns within the payment industry over Backoff, a malware tool used by malicious hackers to steal payment card data from point-of-sale systems.

The malware was released last October but remained undetected by antivirus tools until this month.

The U.S. Department of Homeland Security and the U.S. Secret Service believe that Backoff has already infected PoS systems at more than 1,000 small, medium and large businesses, including Target and Neiman Marcus. More than 40 million payment cards were compromised in the Target breach alone while the Nieman Marcus compromise exposed data on some 1.1 million cards.

In a bulletin issued last week, the DHS and Secret Service said they had responded to "numerous incidents" over the past year involving Backoff. So far, seven vendors of point-of-sale systems have confirmed that multiple clients were affected by the malware, the bulletin said.

Last week's bulletin was a follow-up to one released by the DHS and Secret Service in July warning businesses about Backoff's use in targeted attacks against U.S. retailers. The bulletin warned of attackers taking advantage of hackers exploiting commonly used enterprise remote access tools to break into retail point-of-sale (POS) systems and plant the Backoff malware.

The PCI bulletin appears to have been sparked by news that the malware is much more widespread than had been previously assumed, said James Huguelet, an independent PCI security consultant.

All of the steps outlined in the PCI council bulletin are standard measures, Huguelet said. "But sometimes it takes a wake-up call such as this to remind everyone in the payment-processing chain of how important they really are."

What's interesting about the bulletin is the council's specific mention of end-to-end encryption of payment card data, Huguelet said.

"Mandating [end-to-end] encryption would completely eliminate the threat posed by Backoff within the payment processing chain," but so far the council has not taken that step, he said.

Join the CSO newsletter!

Error: Please check your email address.

Tags Targetdata securitysecuritydata protection

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place