Retailers Attacked by POS Malware

Software resellers must do a better job educating merchants about the necessity to upgrade their software, an industry expert says.

April 11, 2013

LOUISVILLE, KY – A malware attack exploiting a point-of-sale software vulnerability has exposed hundreds of credit and debit card accounts near Louisville, Kentucky, BankInfoSecurity.com reports.

While fraudulent transactions have been linked to accounts only in Kentucky, it’s suspected that the malware has likely affected POS networks and systems in other states, said Marjorie Meadors, assistant vice president and head of card fraud prevention for Louisville-based Republic Bank & Trust.

The U.S. Secret Service and banks are investigating the breach and trying to pinpoint the merchant points of compromise, Meadors said, adding it does not involve a processor, as originally thought. "A local reseller provided the software that stores use in their card-reading devices to transfer data to Visa and MasterCard.”

The attack does not appear to have affected PIN-debit transactions, though it likely included a number of card brands, including Visa and MasterCard. Both Republic Bank and Park Community Federal Credit Union were affected by the breach. Park posted a fraud alert on its website last week, notifying members of a possible compromise.

"Financial institutions in the Louisville area are currently experiencing high volumes of debit card fraud," the credit union stated. "All Park Community debit cards are protected by FraudWatch Plus, a 24/7 fraud monitoring service that detects unusual spending patterns."

Many potentially fraudulent transactions were caught and stopped, including transactions at retail locations in California, Meadors said. Affected merchants have been contacted by the Secret Service and their POS systems upgraded to prevent additional attacks.

It is suspected that the malware attack exploited a remote software weakness, Meadors said, adding many merchants are unaware of necessary software updates when they become available.

Meadors places much of the blame on software resellers, saying they need to do a better job educating merchants about the necessity to upgrade their software. "The merchants were not at fault here, nor were the banks," she said. "It's an ongoing problem with the software companies, and it needs to be addressed."

According to Nick Percoco, senior vice president at forensic investigator Trustwave, attacks such as these represent the greatest threats merchants face. "We do see remote access comprising a very high percentage of the ways of how these attackers are getting in," he said.

Advertisement
Advertisement
Advertisement