The United States Department of Homeland Security recently revealed that more than 1,000 American retailers may have lost customers' private information to cyber-criminals who accessed stores' payment processing systems using malware.
Government cyber experts say that they discovered the malicious software, which they are referring to as "Backoff," in October of last year. The word "backoff" is found in a line of code in the program. Until this month, antivirus protection software was unable to discover the malware.
The malware finds a way to access a company's internal computer system via a non-secure point of entry - for example, a telecommuting employee who is accessing the network from a remote location. They then download the malware and troll the system until they are able to gain access to the program responsible for handling point-of-sale information, such as customers' credit and debit card numbers, names, email addresses and physical addresses.
"Over the past year, the Secret Service has responded to network intrusions at numerous businesses throughout the United States that have been impacted by the 'Backoff' malware," reads the official release. "Seven [point-of-sale] system providers/vendors have confirmed that they have had multiple clients affected. Reporting continues on additional compromised location, involving private sector entities of all sizes, and the Secret Service currently estimates that over 1,000 U.S. businesses are affected."
That means that at least a handful of companies have discovered data breaches but have chosen not to alert the public. The Department of Homeland Security says it is likely that many retailers have been infected and don't realize it. They are urging small to mega-sized businesses to aggressively check their payment processing systems to see if they have been infected with Backoff.
The malware takes personal information straight from the magnetic strips on the backs of credit and debit cards.
"The weakness is the magnetic stripe," security analyst Avivah Litan tells The New York Times. "I can buy a mag stripe reader on eBay and easily read all the data from your credit card. It's an antiquated technology from the '60s."
In light of the recent wave of high-profile data breaches, credit card companies have told retailers they must transition their programs to read smart credit cards, which communicate customer information through a digital chip.
Cyber-criminals are able to print your name and credit card information onto counterfeit cards. They then sell these cards on the black market to users who can shop under your name. However, the smart cards' digital chips are far more difficult to replicate than the commonly used magnetic strips. Retailers are not expected to comply with the deadline, because such upgrades are extremely expensive.
This latest data breach news broadens the scope of the identity theft problem even more. It's becoming more and more clear: If you have a credit or debit card, your personal information may very well be in the hands of identity thieves. One step you can take to help protect yourself is to invest in a credit monitoring service.
While such systems cannot guarantee the security of your personal data, they can alert you when certain indicators of fraud surface that are connected to your name. This gives you the opportunity to take measures to stop the fraud before it gets out of control. Otherwise, if you are not aware of what is happening, it could be months or years before you discover the damage done to your creditworthiness.