The mobile payment solutions provider Charge Anywhere recently acknowledged that a hacker installed malware on its network "that had not been previously detected by any anti-virus program," and that the malware was used to "capture segments of outbound traffic."
The malware was in place for almost five years. It was discovered on September 22, 2014, and forensic investigation determined that network traffic was captured from August 17, 2014 through September 24, 2014 -- but the company says the hacker "had the ability to capture network traffic as early as November 5, 2009."
And the payment card data was accessed in plain text. "Much of the outbound traffic was encrypted," the company noted in a statement. "However, the format and method of connection for certain outbound messages enabled the unauthorized person to capture and ultimately then gain access to plain text payment card transaction authorization requests."
The data potentially exposed in those payment card transaction authorization requests includes cardholder names, account numbers, expiration dates and verification codes.
Charge Anywhere is providing a searchable list of merchants who may have been affected, though the search function requires an exact match on the merchant's business name.
"We completely eradicated the malware from our systems and have been working with computer security firms to further strengthen our security measures," Charge Anywhere said in a statement.
"We have also been working with the credit card companies and processors to provide them with a list of merchants and the account numbers for cards used during the period at issue so that the banks that issued those cards can be alerted," the company added. "When banks receive these alerts, they can conduct heightened monitoring of transactions to detect and prevent unauthorized charges."
Tripwire security analyst Ken Westin told eSecurity Planet by email that the Charge Anywhere breach shows how crucial it is for merchants to research the security of their payment providers. "When it comes to payment vendors, cheapest is not always the best," he said.
"The best thing retailers can do is to get very curious about the security practices of their payment vendors," Westin added. "They should ask a lot of questions regarding security controls and ask for audit reports and proof of compliance where applicable. It also pays to be very cautious about the terms and conditions in vendor contracts, because these establish who is responsible for costs and damages when there is a compromise."
"The last thing retailers want is to be liable for a vendor’s incompetence," Westin said.
A recent eSecurity Planet article offered advice on how to deal with a data breach, from documentation and communication to incident response and notification.
Photo courtesy of Shutterstock.