As the holiday shopping season approaches, point-of-sale malware continues to rise from the already high levels throughout 2014 and to infect more businesses. The Backoff malware in particular, which the Secret Service estimated had impacted 1,000 organizations in late August, continues to spread.
That’s the findings from Damballa in their Q3 2014 State of Infections Report.
Damballa’s CTO Brian Foster gave an update on those numbers on Friday’s Cybercrime and Business Podcast: “Just from the beginning of October until now, we’ve seen a 67% increase, so we continue to see momentum there in a number of infections that we’re finding.”
Part of that rise can be attributed to the race to get into systems before the holiday season goes into full swing.
“We’re entering the busiest time of year for retail,” Foster said. “Every retailer is basically going to have a time of the year where they lock down their IT systems for the holidays, and every hackers’ dream is to be part of the image that gets locked down because they know they’re there for a couple months.”
Last month Staples became the 60th company tied to POS malware in 2014, based on SurfWatch Labs data, and more than half of those hit the news just in the past three months.
We asked Foster about two key points surrounding POS malware and the surge this year.
What is going on that so many companies are being impacted?
It’s complicated, he said, but part of it is the disconnect small business have to their payment devices since they’re provided through a third party.
“A lot of the smaller businesses don’t feel like they own those devices to know what’s securing their information, and I think part of what needs to happen is – we’ve talked about this in the most recent supply chain webinar – you do need to hold your third party accountable for what happens.”
And why is it that, as many studies have pointed out, no one is discovering these breaches until they’ve been plundered?
On that point Foster echoed what we’ve been hearing from experts all year long: perimeter detection is not enough.
“It’s too easy for the malware writers, the threat actors, to tweak the malware so that your typical antivirus can’t detect it, and that’s exacerbated in the point-of-sale environment where these devices are not updated all the time.”
It’s this eggs-in-one-basket mentality that’s keeping everyone in the dark when businesses are infected, which seems to be happening quite often in the Consumer Goods sector.
He added: “None of these preventative tools are 100 percent. Things are getting through. So what has to happen is a reasonable level of investment on detecting the things that get through and responding to those.”
With Black Friday and the start of the holiday season less than two weeks away, what does all of this mean for retailers?
For starters, we’ll likely see more breaches in the news – just as we have all year.
But more importantly, a shift may happen as a business are starting to wake up to the problem. That means more money being invested into security in addition to a change in how that security money is spent.
“JPMorgan Chase came out, their CEO, and said, ‘Hey, we spent $250 million on security and we’re going to be doubling that over the next five years.’ And I think that’s the phenomenon we’re going to see across the different verticals because the only way they’re going to be able to compete and hold the confidence of their customers it to make sure their transactions are secure.”