Payment Cards Compromised for Nearly 6 Months at Unspecified Number of Stores
Buckle, a clothing retailer with 450 stores across the United States, said Friday that malicious software may have been used to steal payment card details for nearly six months, putting customers at risk.
See Also: 2017 Predictions on Data Security: Insights on Important Trends in Security for the Banking Industry
Buckle’s breach alert, issued Friday, said that it had launched an investigation after it “became aware” that “a criminal entity accessed” payment card data some of its stores.
Buckle didn’t note how or when it first learned of the breach, and couldn’t be immediately reached for comment. But the malware was active on its point-of-sale systems for nearly six months – from Oct. 28, 2016, until April 14, 2017. Thus it’s likely that the breach was discovered on or around April 14, meaning that the company waited about two months before warning potentially affected customers (see Data Breach Notifications: What’s Optimal Timing?).
The company’s first public breach pronouncement about the breach, issued late Friday, followed security blogger Brian Krebs reporting Friday that earlier in the day, he’d queried the company about a potential breach.
Investigation Found Malware
After Buckle learned of the breach, “we immediately launched a thorough investigation and engaged leading third-party forensic experts to review our systems and secure the affected part of our network,” the company says. “Through that investigation we learned that our store payment data systems were infected with a form of malicious code, which was quickly removed.”
The malware collected the card number, expiration date and holder’s name, Buckle says. The company does not believe that any other customer information – including Social Security numbers, email addresses or physical addresses – were accessed or stolen.
Buckle says the malware did not affect all of its POS systems or customers’ transactions during the nearly six-month breach window. The company has yet to detail how many customers or cards may have been compromised.
Buckle says it has blocked connections between its systems and potentially malicious IP addresses and cleaned malware off of all affected systems. It has also advised customers to monitor payment card statements for fraud.
“We are cooperating fully with card brands and forensic investigation services,” Buckle says. “Any affected individuals either have or will likely receive communications from their issuing banks with additional instructions and/or replacement cards.”
Buckle Is EMV-Compliant
The United States has been moving to implement the EMV chip-and-signature standard for better payment card security following staggering breaches at retailers such as Target in 2013 and Home Depot in 2014.
EMV payment cards have a microchip that contains account information and generates a one-time code that prevents the use of cloned cards. Cards are cloned by copying data contained on the magnetic stripe on the back of the card and encoding that information onto a dummy card.
Chip cards still have the magnetic stripe on the back, and it is still possible to copy, or “skim” that information. But if a fraudster tried to use the cloned card, theoretically the transaction should be rejected during the payment authorization process, since backend systems would expect a card with that number to have a chip.
To accommodate EMV cards, retailers must upgrade their payment terminals. Buckle says terminals at all of its stores have been upgraded to accept those kinds of cards, which it believes limits the risk of counterfeit cards being generated using intercepted card data.
“However, it is possible that certain credit card numbers may have been compromised,” Buckle says.
Those at risk would be Buckle customers who swiped their cards at payment terminals so that the magnetic strip could be read – in theory, because they were using a card that lacked an EMV chip. The captured data could possibly be used for online purchases. But most retailers require the CVV code that is printed on the back of the card – a three-digit code, except for American Express cards, which use four digits – and which is not part of the track data.
The United States has been slowly moving towards full EMV compliance. Earlier this month, EMVCo., a technical body owned by American Express, Discover, JCB, MasterCard, UnionPay and Visa, said EMV chip adoption stands at 52.2 percent, up from 26.4 percent in 2015.
Retail Breach Epidemic
Buckle’s breach alert follows retailer Kmart earlier this month disclosing that payment terminals in some of its 735 stores nationwide had been infected with malware. A Kmart spokesman claimed the malware was “undetectable” by anti-virus systems or application controls (see Kmart Confirms Breach at Unspecified Number of Stores).
The Buckle and Kmart’s breaches show that despite increased concerns about card security over the past several years, cybercriminals are still finding footholds in systems and deploying card-stealing malware. Most often seen is RAM-scraper malware, which grabs payment card details as a card gets swiped, when these details get transmitted in unencrypted form and briefly reside on a payment system’s volatile memory.
Such attacks continue, even within corporate entities that might – at least in theory – sport large security budgets.
Security experts say cybercrime gangs employ different types of POS malware, but note that most of it is functionally identical, unsophisticated and could be better blocked if retailers changed default passwords on their POS devices and used segmentation to better isolate POS systems (see Why POS Malware Still Works).
Once attackers sneak malware onto POS systems – or servers that process or handle POS card data – detecting the attack code remains challenging, security experts say. Malware developers often use compression and other tricks in order to bypass security software. Some types of security systems, however, can study how new executables behave and can catch malware when it does something suspicious. But again, those systems can be fooled, and not all organizations have invested in such defenses.
Executive Editor Mathew Schwartz also contributed to this story.