Backoff Malware May Spark Shift to EMV, Dual Authentication

The Backoff malware, which targets point of sale systems and has hit hundreds of businesses, may catalyze adoption of EMV "chip and PIN" cards and two-factor authentication as merchants look for ways to soften the impact of the next attack.

"Chip and PIN are a big thing, because it greatly diminishes the value of the information that can be trapped by this malware," said Karl Sigler, a director at Trustwave, a security company that estimates about 600 businesses have been targeted by the new malware.

The malware uses infected websites to infiltrate the computing devices that host point of sale systems or are used to make payments, such as PCs, tablets and smartphones.

Merchants can install software that monitors the their payments systems for possible intrusions, but "the thing is you can't just have anti-virus programs and think you are safe," said Tomer Weingarten, CEO of the security company SentinelOne.

Credit card data is particularly vulnerable because the malware can steal data directly from the magnetic stripe or keystrokes used to make card payments. 

"The point of sale system is low-hanging fruit because a lot of businesses don't own their own POS system, they rent them, or a small business may hire a third party to implement their own point of sale system," Trustwave's Sigler said, adding security of third party systems may not be in line with the merchant's level of concern. The Payment Card Industry Security Standards Council issued new guidance this month to address security for outsourced digital payments.

EMV-chip cards, which are designed to deter counterfeiting, would gut the value of any stolen data, Sigler said.

"With this magnetic stripe data, the crooks can clone the card and sell it on the black market," he said. "With chip and PIN, the data changes for each transaction, so each transaction is unique. Even if the malware grabs the data, there not a lot the crooks can do with it."

The EMV migration in the U.S. has recently accelerated, driven in part by recent high-profile data breaches. Even with that momentum, the U.S. may still take longer than the card networks' October 2015 deadline to fully shift to chip-card acceptance.

And EMV does not by itself mitigate the threat of breaches, said Al Pascual, a practice leader for fraud and security for Javelin Strategy & Research. Two-factor authentication, or the use of a second channel or computing device to authorize a transaction, will likely share in the boost in investment stemming from data security concerns.

"The continued compromise of point of sale merchants through a variety of vectors, including malware such as Backoff, will motivate the implementation among merchants of stronger authentication to prevent unauthorized access to card data," Pascual said.

Backoff has garnered a lot of attention, including a warning from the U.S. government, but it's not the only malware targeting payment card data.

"It is not the types of threats which are new, but rather the frequency with which they are occurring which has put merchants on their heels," Pascual said. "That being said, there is also an acute need to educate small merchants on both the threats and respective mitigation techniques."

The heightened alert over data vulnerability should boost the card networks' plans to replace account numbers with substitute tokens to protect digital payments, said Julie Conroy, a research director at Aite Group.

Tokens would not necessarily stop crooks from infiltrating point of sale systems, but like EMV technology, they would limit the value of the stolen data.

"There are two sides to the equation, the issuers and the merchants," Conroy said. "To the extent we see both sides adopt tokenization, you will see fewer breaches and they will be less severe because the crooks will be getting a token instead of card data."