A malware attack exploiting a point-of-sale (POS) software vulnerability
has exposed hundreds of credit and debit card accounts, BankInfoSecurity.com reports. While the recent fraudulent transactions have been linked to accounts only near Louisville, Kentucky, it’s suspected that the malware has likely affected POS networks and systems in other states, said Marjorie Meadors, assistant vice president and head of card fraud prevention for Louisville-based Republic Bank & Trust.
The U.S. Secret Service and banks are investigating the breach and trying to pinpoint the merchant points of compromise, Meadors said, adding it does not involve a processor, as originally thought. “A local reseller provided the software that stores use in their card-reading devices to transfer data to Visa and MasterCard.”
The attack does not appear to have affected PIN-debit transactions, though it likely included a number of card brands, including Visa and MasterCard. Many potentially fraudulent transactions were caught and stopped, including transactions at retail locations in California, Meadors said. Affected merchants have been contacted by the Secret
Service and their POS systems upgraded to prevent additional attacks.
It is suspected that the malware attack exploited a remote software weakness, Meadors said, adding many merchants are unaware of necessary software updates when they become available. Meadors says software resellers need to do a better job educating merchants about the necessity to upgrade their software. “The merchants were not at fault here, nor were the banks,” she said. “It’s an ongoing problem with the software companies, and it needs to be addressed.”
to Nick Percoco, senior vice president at forensic investigator Trustwave, attacks such as these represent the greatest threats merchants face. “We see remote access comprising a high percentage of how these attackers are getting in,” he said. (NACS: www.nacsonline.com)