Grrrwaaaaaarggggh! ‘ChewBacca’ breaches merchants’ defenses

It’s not just the big guys who have to look out for threats from digital criminals. According to reports, over a two-month period cyber thieves stole details from some 24 million card transactions carried out at small retailers in 11 different countries, including Australia, Canada, Russia and the U.S.

The breach was discovered by RSA FirstWatch, which wrote about the discovery on a company blog yesterday. Thieves used "ChewBacca" malware to gain access to retailers’ systems.

According to the RSA blog, ChewBacca uses "a generic keylogger and a memory scanner designed to specifically target systems that process credit cards, such as Point-of-Sale (POS) systems. The memory scanner dumps a copy of a process’s memory and searches it using simple regular expressions for card magnetic stripe data. If a card number is found, it is extracted and logged by the server."

RSA contacted affected companies and the FBI after discovering the attack on Wednesday. The server used to launch the attacks was shut down yesterday.

As to how to prevent these types of attacks in the future, Yotam Gottesman, senior security researcher at RSA, wrote, "Retailers have a few choices against these attackers. They can increase staffing levels and develop leading-edge capabilities to detect and stop attackers (comprehensive monitoring and incident response), or they can encrypt or tokenize data at the point of capture and ensure that it is not in plaintext view on their networks, thereby shifting the risk and burden of protection to the card issuers and their payment processors."

BrainTrust

Discussion Questions

At what point, if ever, do you think continuing reports of data breaches will affect where consumers shop and how they pay for their purchases? From reports, it seems as if the criminals are winning. Is that the case?

Poll

10 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Mike Osorio
Mike Osorio
10 years ago

I continue to be amazed that the US is yet to require pin & chip technology vs. the antiquated and easily exploited magnetic strip technology. Yes, retailers must step up the simple (but not cheap) data encryption tools that thwart the most common threats, to avoid being branded as careless by consumer groups. But requiring chip & pin technology as does most of the developed world would remove the most basic threats.

Tony Orlando
Tony Orlando
10 years ago

We need to convert all credit cards to smart chips, which would greatly reduce theft. It would cost a few bucks, but issue tax credits to all businesses to help offset the cost.

Ken Lonyai
Ken Lonyai
10 years ago

This is one of the most popular themes here on RW. Surely there will always be security holes, but there is plenty of evidence that the system is very broken. So in a sense, yes the criminals are winning because as a whole, they continue to stay ahead of the system in a fairly significant way.

Consumers are affected because the costs of card processing and losses are neatly tucked into the price of merchandise and will continue to be there. So aside from a small number of consumers shying away from retailers with highly publicized data breaches, the public at large will merrily and unknowingly continue on, subsidizing the cost of criminal activity and payment processing negligence.

Tim Smith
Tim Smith
10 years ago

It will take a significant event or decline in overall shopping to get retailers to invest in the latest technology. Until then it is lip service. I thought the Target breach might have been it, but it does not look like it so far.

Shep Hyken
Shep Hyken
10 years ago

Online commerce has become a security issue, no doubt. The cyber-criminals don’t seem to be thwarted by the best efforts to prevent data breach. The key is that customers feel comfortable making online purchases.

So, first is to point out that the data breach doesn’t happen (typically) at the time of purchase. They crime takes place on computers/servers hosting information.

Second, and this is very important, the crime is not limited to just online retailing. It is on premise as well. Most consumers seem to think there is bigger risk online.

This leads us to the path that any form of credit card or debit card, regardless of online or onsite, is a risk. Hard to live like that. The next time you get into a car, there is a risk that you might have an accident. Does that mean you won’t drive a car? Hardly!

There are companies that are currently able to “insure” against credit card fraud and identity loss. Companies like AllClear work with online retailers to help create a comfort level with consumers who have to share credit card numbers or other critical information.

My take is that no matter what preventative measures retailers take, criminals will do what they can to work around these measures. They just keep finding new ways. That doesn’t mean the effort stops. Innovation and technology will support the effort. But, don’t think the cyber-criminals won’t use innovation and technology to work around anything new that comes up. They will. But, isn’t that the way it’s always been? What’s really changed?

Gordon Arnold
Gordon Arnold
10 years ago

This will continue until the retailers are solely responsible for all losses incurred by the customers by law. These same laws need to provide the victims with protection against corporate flight so the losses aren’t passed through to the taxpayer. (Like that will ever happen!) There are adequate safeguards for highly reliable protection as we speak. Budgets shortcuts are the first reason they are not in place closely followed by system management error # ID-1O-T which is to common for this day and age.

Lee Kent
Lee Kent
10 years ago

As long as the consumer is protected through their bank cards, they are not likely to take up arms. Yes, it is inconvenient, however, their pocketbooks aren’t touched.

The big issue here is that both retailers and financial institutions are involved and must work together. Ha! Ha! I’m laughing out loud as I write this because we all know that changing either of these industries is akin to digging a hole to China. Unending and often fruitless. But folks, it can be done.

If you have read me on this subject before, you know that I do not believe that chip and pin is the answer either. We need to get rid of 20th century technology to deal with 21st century issues. Let’s look at models where the credit data is NEVER all in one place. That would be a start! IMHO….

Shilpa Rao
Shilpa Rao
10 years ago

Breaches will increase the sales of card protection plans. When so many retailers are exposed every day and many not aware of the hack for months and at times years, customer data is no longer safe. Customers will be skeptical of the retailer immediately after the breach, but will return.

Kai Clarke
Kai Clarke
10 years ago

No. This is clearly a reflection of lazy, uninformed retailers not using encryption of data at the point of capture (leaving raw data exposed and available for thieves). Should this simple, and obvious, encryption step be taken, at the point of capture, it will transfer the onus of security to the engine of the supplier where it is stored and managed in a controlled and secure environment of the card issuer/payment processor.

Ralph Jacobson
Ralph Jacobson
10 years ago

As discussed here before, I believe that as fast as merchants and financial institution implement increased security measures, the criminals will strive to find ways to circumvent them. The key is to stay ahead of those thieves with some of the newer security capabilities available today. This need not be such a vulnerable situation for merchants.