There was a far more overreaching issue that emerged in last week’s data breach involving payment gateway and mobile payment developer CHARGE Anywhere than the loss of data itself: the security of encryption in place.
If you are using CHARGE Anywhere in your retail purchases, you know of course that you can feel a sort of security knowing that most point-of-sale terminals are somehow being secured with encryption. Well, think again. Hackers were recently able to break into the system of CHARGE Anywhere and successfully breached transactions that had occurred in its network since 2009. And although the traffic that came through that network was encrypted, the company acknowledged to plain text data having been stolen in August and September.
Investigators found out that an unauthorized individual was able to get access to CHARGE Anywhere’s network and ran an advanced malware in order to seize portions of the network traffic coming out of CHARGE Anywhere’s systems. Not that those traffic were left unencrypted. But somehow investigators revealed further that there was something lax in the way the connection for outbound traffic was formatted, as it allowed the hacker to grab plain text payment card transaction authorization requests.
What that means – more than the fact that confidential data such as cardholder name, account number, expiration date and verification code have been compromised – is that there is something problematic with how the company encrypted those pieces of information.
It is a good thing, nonetheless, that the compromise did not extend to the merchant and processor systems as it would have tremendously affected how payment gateways transmit traffic from point-of-sale terminals to payment processors. CHARGE Anywhere as also quick to shut down the malware and remove it from its network following repeated calls for the company to probe fraudulent charges that had taken their toll on the customers’ cards.
CHARGE Anywhere said it has been collaborating with credit card firms and processors in order to alert banks to the merchants and account numbers used during the attack period.
But given the growing sophistication of threats that come in various forms and attack methods, there is no guarantee that the same breach would not happen over and over again. The best way is for enterprises to embrace adaptive technologies that respond to advanced attacks and scale up to the security requirements of the organization.
Retailers in particular are the constant target of these kinds of attacks because of the lack of resources with which this industry can respond to attacks.