'Backoff' Malware a Huge Problem, Report Suggests

Brandon Dimmel's picture

A new report suggests that roughly one thousand American businesses have been victimized by 'Backoff', a form of malware that exposes customers' most sensitive information, including credit card data. Backoff made headlines late last year when retail giant Target was hit, exposing credit card data of roughly forty million customers.

Now, the National Cybersecurity and Communications Center (NCCIC) and U.S. Secret Service are suggesting that many more businesses have been exposed by the same malware. If an infection occurs, the Backoff malware is capable of recording keystrokes and scanning a system's memory to steal credit card data. That information is then relayed to a central command center (most of which are based abroad), giving cybercriminals an opportunity to make fraudulent purchases.

Antivirus Programs Fail to Detect Malware

Unfortunately, very little is known about Backoff, or how it functions. The NCCIC and U.S. Secret Service recently acknowledging that the malware "had low to zero percent anti-virus detection rates, which means that fully updated anti-virus engines on fully patched computers could not identify the malware as malicious." (Source: pcmag.com)

The New York Times recently reported that over a thousand U.S. businesses of all sizes have become infected with the Backoff malware, with affected businesses including big-name companies such as the United Parcel Service (UPS) and Supervalu. Those two firms have acknowledged they were infected, though the full list of the businesses affected has not yet been made available. (Source: nytimes.com)

Antivirus companies are now scrambling to implement new systems capable of identifying and eliminating Backoff infections. For its part, the NCCIC is encouraging all businesses to conduct a careful analysis of their point-of-sale (PoS) systems, though that may be a fruitless endeavor given Backoff's subtle and stealthy nature.

New Purchasing Systems Required, Expert Says

Security experts believe the only way to confront these kinds of hacks is to change how purchases are made.

According to Gartner security analyst Avivah Litan, Backoff infections are made by exposing weaknesses in the magnetic strips found on credit cards. "The weakness is the magnetic stripe," Litan said. "I can buy a mag stripe reader on eBay and easily read all the data from your credit card. It's an antiquated technology from the '60s."

That's why many, though not all, credit cards now feature a chip that requires customers enter a security code before a purchase can be completed. Litan says this makes hacking far tougher, but until every retailer switches to using these systems (at a cost of $500 to $1,000 per terminal), businesses and their customers will remain vulnerable. (Source: nytimes.com)

What's Your Opinion?

Do threats like Backoff make you worry about using your credit card at a retailer (online or in person)? Have you or someone you know been affected by the Target credit card data breach? Do you think that the chip technology present in today's credit cards are safer than the magnetic stripe? Or do you believe they are less safe due to RFID (radio frequency id) vulnerabilities?

Rate this article: 
Average: 4.8 (5 votes)


BikeMobile's picture

Technology makes the crimes easier and less hazardous to the criminal, but with due caution and vigilance, credit systems can be at least as safe as writing a paper check with your signature sample on it, your home address and your account identification numbers in magnetic ink. Virtual one-use credit accounts are my chosen method of due caution. The transaction is good on that virtual account number for the transaction it was generated for, expires at the end of the month, and can be cash-value limited and extended expiration if generated to have those values. Attempted unauthorized use of a virtual number pinpoints the source of the account breach. Use of the core account in a digital transaction is immediately suspect as well. With each freedom/opportunity comes attendant responsibility and risk.
RFID and Chipped cards are two different technologies. I feel more comfortable with the added chipped inconvenience to the RFID vulnerable conveniences. (I also added a photo to the core card, not flattering but accurate.)