14 DAY TRIAL // A piece of malware capable of capturing outbound traffic infiltrated on the network of CHARGE Anywhere, provider of mobile payment solutions for merchants, managed to evade detection since November 5, 2009.
The company works as an intermediary between the point-of-sale (PoS) systems set up at retailers and their payment processors. All the traffic associated with a card transaction is routed through its infrastructure.
The communication intercepted by the attacker was encrypted, but the company says that it found evidence that some traffic was decrypted and card data from customers was compromised.
Over one month of payment transactions accessed in the clear
CHARGE Anywhere first learned of the intrusion on September 22, 2014, almost five years after it occurred. An investigation was immediately started, with forensics analysis identifying the nature of the malware and its capabilities.
According to the company, the findings of the experts showed that the threat was a sophisticated one, and that no antivirus solution detected it at the time; this implies that at the moment some security products have added the necessary detection capabilities.
It is unclear what sort of encryption was used to protect the sensitive information in transit, but CHARGE Anywhere says the investigation revealed that the intruder was able to access plain text traffic containing payment transaction authorization requests during a specific time frame.
“During the exhaustive investigation, only files containing the segments of captured network traffic from August 17, 2014 through September 24, 2014 were identified,” a official statement from the company issued on Tuesday reads.
However, the malware was equipped with traffic capture ability from the beginning, so it is possible that card information as far back as November 5, 2009 has been exposed; this may include the name of the card holder, account number, expiration date of the card, and the verification code.
Multiple retailers affected, searchable list provided
The incident was discovered when the company was asked to look into fraudulent transactions recorded on cards that had been used legitimately at multiple merchants relying on solutions from CHARGE Anywhere.
A search service for the retailers that may be impacted by the breach has been provided. Currently, there is no clear information on the number of entities affected by the incident.
Despite evidence that traffic during the above stated time frame has been captured, it is assumed that cards used at the affected merchants since November 5, 2009, have been compromised.
It is important to note that the malware was found only on the systems of CHARGE Anywhere and that the devices at customer locations are considered safe.
Steps to decrease the risk of fraud have been taken, as credit card companies and payment processors have been given the names of the merchants affected, as well as the account numbers of the processed cards. As such, banks can monitor transactions involving those cards and act to prevent fraudulent charges.
