Cash Register Hack Affected Over 1,000 U.S. Businesses
Homeland Security released an advisory on Friday stating over 1,000 U.S. businesses were affected in a massive cash register hack, compromising the data of millions of payment cards used by consumers.
The report recommended businesses check for possible Point of Sale (PoS) malware infections, especially for one virus dubbed "Backoff," which remained undetected for a year. The malware reportedly targeted the admin accounts of each business, then took hold of consumers' data.
The New York Times reported UPS, Supervalu, and Target were affected in the cyberattack, while Homeland Security and the Secret Service estimated more than 1,000 U.S. businesses were also involved.
"There's a lot of retailers out there that have been compromised by this and they simply don't know it yet," said Ken Westin, a security analyst for Portland-based Tripwire Inc.
The Backoff malware affected about 50 UPS locations and compromised more than 100,000 card transactions. The same malware also stole about 40 million Target debit cards' data from 1,797 stores last year, making it the largest security breach on a retailer's payment system. Target is now facing numerous lawsuits from banks seeking reimbursement for millions of dollars.
The hackers were able to access the admin accounts by scanning the cash register systems via remote access, then guessing on usernames and passwords. After successfully entering the system, hackers collected the credit card data and stored it to servers outside the United States. The information was then sold on the black market.
Security experts believe payment cards used in the country are vulnerable to these attacks due to outdated technology.
"The weakness is the magnetic stripe," said Gartner Research security analyst Avivah Litan to the New York Times. "I can buy a mag stripe reader on eBay and easily read all the data from your credit card. It's an antiquated technology from 60s."
Banks and companies were given a deadline of October 2015 to switch to the Europay-Mastercard-Visa (EVS) system, as it is more difficult to hack compared to the current cards.