This week, the payment gateway solution provider Charge Anywhere revealed that it had been victimized by a data breach that may have compromised data going as far back as 2009.
Charge Anywhere provides payment gateway services, cloud point-of-sale (PoS) solutions, mobile PoS, and other technologies aimed at banks, enterprises, and payment processors. The attack stands as another example of hackers targeting payment card data by going after PoS vendors, as opposed to just merchants.
In September, the PoS system vendor Signature Systems acknowledged it was the source of a breach in which an attacker gained access to a username and password the company used to access PoS systems remotely; the attacker used that name and password to install data-stealing malware. In June, Information Systems & Supplies announced that it had been breached, and that customer data had been exposed.
"I would expect attacks like this to become more frequent and more widespread for the reason that seems to be underreported on this breach -- the substantial increase in mobile payments due to ease of use, and the ability to accept payments quickly, especially to smaller businesses," says CounterTack vice president of security strategy Tom Bain. "Users expect and have a blind trust in applications that support their business -- and just expect that security measures are taken to protect them. In just a six-month span this year, mobile malware attacks have increased [by six times] globally."
According to Charge Anywhere, an investigation began when the company was asked to look into fraudulent charges that appeared on cards that had been used legitimately at certain merchants. The investigation revealed that an attacker gained access to the network and installed malware that was then used to create the ability to capture segments of outbound network traffic. Though most of the outbound traffic was encrypted, "the format and method of connection for certain outbound messages enabled the unauthorized person to capture and ultimately then gain access to plain text payment card transaction authorization requests," the company says on its website.
The malware was discovered Sept. 22.
"During the exhaustive investigation, only files containing the segments of captured network traffic from August 17, 2014 through September 24, 2014 were identified," according to the company. "Although we only found evidence of actual network traffic capture for this short time frame, the unauthorized person had the ability to capture network traffic as early as November 5, 2009."
Chris Messer, vice president of technology at the private cloud and managed IT services provider Coretelligent, argues that the outbound encryption element of this story and the technical details that are not being shared raise flags. The Charge Anywhere breach reinforces the need for all organizations that entrust their data to outside parties to perform due diligence to ensure those third parties are adhering to industry standard best practices and reference architecture designs.
"The statement by Charge Anywhere in and of itself is rather contradictory, likely indicating that they were not leveraging full end-to-end encryption for all data during transmission, and there were clearly technical shortcomings to their architecture that the attackers were able to exploit in order to sniff/collect their raw data traffic containing this transactional data," he says. "It is also possible that their production network was not properly segmented, allowing an insecure workstation to directly access their production network where transactional data was being processed/transmitted."
Lancope CTO TK Keanini says he expects aggregation points in other sectors to be at higher risk, as well.
"I do expect to see more of this because of two factors. Everyone is growing more and more connected -- customers, partners, firms -- and in this mesh, the attacker can pick any entry point, no matter where they want to ultimately target. The second factor is, with this hyperconnectivity, attackers can go after targets that aggregate information instead of having to compromise individual systems," he says. "Why go after 1,000 targets when those 1,000 targets all aggregate at a single point of compromise? This pattern is not new. It is just the smart way to go about doing the work."