Digital Transactions Authoritative, insightful and timely information for payments professionals
Chalk another payment-card data breach up for the bad guys. Payment gateway Charge Anywhere LLC announced Tuesday it discovered a breach of its payments network. It says it has shut down the malware that caused it.
South Plainfield, N.J.-based Charge Anywhere said the malicious software, which was discovered Sept. 22 after the company had been asked to investigate fraudulent charges that appeared on cards that had been used legitimately at certain merchants, had not been previously detected by any antivirus program.
After removing the malware, Charge Anywhere hired a computer-security firm to investigate how the malware was used and to make network-security improvements. Disturbingly, Charge Anywhere found the malware had been on its network since Nov. 5, 2009, though it says the only evidence any network traffic was stolen is from Aug. 17, 2014 to Sept. 24, 2014.
Charge Anywhere says the malware was able to capture segments of outbound network traffic. However, while much of the outbound traffic was encrypted, the format and method of connection for some outbound messages enabled the hacker to capture and then gain access to plain-text transaction-authorization requests. Such requests can contain the cardholder name, account number, expiration date and verification code.
Charge Anywhere says no merchant systems or devices were affected by the malware, as were no systems at any independent sales organization, processor, or other service provider.
“We have eliminated the malware from our network,” Charge Anywhere says in a press release. “Merchant transactions will be routed as usual and we will continue to provide payment gateway services.” Charge Anywhere declined to comment beyond statements in its press release.
Charge Anywhere says it is providing a list of merchants and affected card numbers to credit and debit card issuers and processors. It also created a searchable list of affected merchants, which is available on the Charge Anywhere Web site.
What strikes Shirley Inscoe, senior analyst at Boston-based Aite Group LLC, as unusual about this incident is that only five weeks of payment data appear to have been stolen despite the malware’s five-year presence on the Charge Anywhere system.
“It is surprising this malware was installed and they claim no data was obtained until 2014,” Inscoe says.
Also unusual is that it appears Charge Anywhere programmers may not have encrypted all of the data as it moved from one point to another, she says. The PCI Security Standards Council lists training developers in secure coding techniques as part of version 3.0 of its data-security standard.
“That’s unfortunate, but it sounds like that’s what happened,” Inscoe says. And judging from Charge Anywhere’s press release, it appears the incident is closed. If accurate, Inscoe says the data should not change.
The Charge Anywhere breach illustrates that any entity involved in payments is a target, says Al Pascual, director of the fraud and security practice at Pleasanton, Calif.-based Javelin Strategy and Research. “Criminals are attacking every piece of the payment infrastructure,” he tells Digital Transactions News. “Payment gateways are another piece of the puzzle and are very attractive. It’s not a huge surprise.”
Pascual, skeptical that the malware sat on Charge Anywhere’s network for five years and captured only five weeks of data, says this incident should prompt payments companies to review their network logs and look for unusual data transmission.
“It goes to show there is a very good chance that those businesses that have yet to acknowledge they have been breached should really take a closer look at their data and go back and review their network logs,” Pascual says.
Data breaches continue to plague the payments industry. In fact, The Home Depot Inc. and Target Corp. said their separate breaches have cost them $28 million and $248 million, respectively.
Payment-data breaches are beginning to affect consumer confidence in electronic payments, finds an informal survey of Digital Transactions News readers. When asked what impact the breaches had on that confidence, 50% of respondents said “A great deal,” 38% “Some,” and 13% “No effect.” Participate in the survey.
