Another month and another big retailer hit with credit card theft. This time it is Home Depot. Last time it was Target. Before that it was Sally Beauty, P.F. Changs, and the list goes on. This week’s news comes after credit cards showed up for sale on rescator dot cc. There is much speculation about how the breach occurred. There are questions about the type of firewall, IDS, and malware detection. Central to the conversation is point-of-sale malware that steals credit card information directly from the cash register system. One variant called backoff was unveiled in July and has already infected over 1,000 businesses. It is known to access computer memory and use keyloggers to get credit card information.
PCI-DSS requires encryption during storage and transit. However that does not protect against memory scrapers and keyloggers. How do we actually stop this trend?
Is the answer more network-based and host-based threat prevention to avoid the malware infections?
Should POS systems be trusted software running on trusted hardware on private networks?
What about chip-and-pin based credit cards? The requirement of a pin in addition to the physical card will reduce reuse of cloned cards. However it does not solve the problem of card-not-present environments such as e-commerce and telephone based orders.
Some suggest that Bitcoin and other blockchain-based approaches provide a safer option for online transactions because they are not susceptible to replay attacks in the same way that stolen credit card information can simply be replayed.
What are the other options?
Christine Barry is Senior Chief Blogger and Social Media Manager at Barracuda. In this role, she helps bring Barracuda stories to life and facilitate communication between the public and Barracuda internal teams. Prior to joining Barracuda, Christine was a field engineer and project manager for K12 and SMB clients for over 15 years. She holds several technology credentials, a Bachelor of Arts, and a Master of Business Administration. She is a graduate of the University of Michigan.
