LOUISVILLE, KY – A malware attack exploiting a point-of-sale
software vulnerability has exposed hundreds of credit and debit card accounts
near Louisville, Kentucky, BankInfoSecurity.com reports.
While fraudulent transactions have been linked to accounts
only in Kentucky, it’s suspected that the malware has likely affected POS
networks and systems in other states, said Marjorie Meadors, assistant vice
president and head of card
fraud prevention for Louisville-based Republic Bank & Trust.
The U.S. Secret Service and banks are investigating the
breach and trying to pinpoint the merchant points of compromise, Meadors said,
adding it does not involve a processor, as originally thought. "A local
reseller provided the software that stores use in their card-reading devices to
transfer data to Visa and MasterCard.”
The attack does not appear to have affected PIN-debit transactions,
though it likely included a number of card brands, including Visa and
MasterCard. Both Republic Bank and Park Community Federal Credit Union were
affected by the breach. Park posted a fraud alert on its website last week,
notifying members of a possible compromise.
"Financial institutions in the Louisville area are
currently experiencing high volumes of debit card fraud," the credit union
stated. "All Park Community debit cards are protected by FraudWatch Plus,
a 24/7 fraud monitoring service that detects unusual spending patterns."
Many potentially fraudulent transactions were caught and
stopped, including transactions at retail locations in California, Meadors
said. Affected merchants have been contacted by the Secret Service and their
POS systems upgraded to prevent additional attacks.
It is suspected that the malware attack exploited a remote
software weakness, Meadors said, adding many merchants are unaware of necessary
software updates when they become available.
Meadors places much of the blame on software resellers,
saying they need to do a better job educating merchants about the necessity to
upgrade their software. "The merchants were not at fault here, nor were
the banks," she said. "It's an ongoing problem with the software
companies, and it needs to be addressed."
According to Nick
Percoco, senior vice president at forensic investigator Trustwave, attacks such
as these represent the greatest threats merchants face. "We do see remote
access comprising a very high percentage of the ways of how these attackers are
getting in," he said.