Another month and another big retailer hit with credit card theft. This time it is Home Depot. Last time it was Target. Before that it was Sally Beauty, P.F. Changs, and the list goes on. This week’s news comes after credit cards showed up for sale on rescator dot cc. There is much speculation about how the breach occurred. There are questions about the type of firewall, IDS, and malware detection. Central to the conversation is point-of-sale malware that steals credit card information directly from the cash register system. One variant called backoff was unveiled in July and has already infected over 1,000 businesses. It is known to access computer memory and use keyloggers to get credit card information.
PCI-DSS requires encryption during storage and transit. However that does not protect against memory scrapers and keyloggers. How do we actually stop this trend?
Is the answer more network-based and host-based threat prevention to avoid the malware infections?
Should POS systems be trusted software running on trusted hardware on private networks?
What about chip-and-pin based credit cards? The requirement of a pin in addition to the physical card will reduce reuse of cloned cards. However it does not solve the problem of card-not-present environments such as e-commerce and telephone based orders.
Some suggest that Bitcoin and other blockchain-based approaches provide a safer option for online transactions because they are not susceptible to replay attacks in the same way that stolen credit card information can simply be replayed.
What are the other options?