Mobile payments firm Charge Anywhere has been left rueing its decision to only partly encrypt card data crossing its network after revealing that malware on its systems may have allowed attackers to capture card details from as far back as 2009.
The New Jersey-headquartered firm, which handles payments for mobile apps, websites and M-POS systems, said in a lengthy statement that it found the previously undetected malware after being alerted about fraudulent transactions that appeared on some of its customers’ cards.
It continued:
“The investigation revealed that an unauthorized person initially gained access to the network and installed sophisticated malware that was then used to create the ability to capture segments of outbound network traffic. Much of the outbound traffic was encrypted. However, the format and method of connection for certain outbound messages enabled the unauthorized person to capture and ultimately then gain access to plain text payment card transaction authorization requests.”
Charge Anywhere said that during its investigation it only found files containing parts of captured network traffic from 17 August 2014 to 22 September 2014.
However, it added:
“Although we only found evidence of actual network traffic capture for this short time frame, the unauthorized person had the ability to capture network traffic as early as November 5, 2009.”
Details affected could include cardholder name, account number, expiration date, and verification code, it said.
The firm urged customers to continually review their accounts to check for any potentially fraudulent transactions, but said that merchants needn’t take any action as the malware affected only Charge Anywhere’s network and has now been completely removed.
A list of FAQs has been posted online for customers here and a searchable list of merchants affected here.
“We have also been working with the credit card companies and processors to provide them with a list of merchants and the account numbers for cards used during the period at issue so that the banks that issued those cards can be alerted,” the firm added.
Charge Anywhere is only the latest in a string of high profile data breach incidents at retailers, payment processors and other businesses in the US this year.
It will add further momentum to the industry push to implement chip and PIN across the board in the US in order to make this kind of cyber attack less appealing to cyber criminals.