Will Consumers "Back Off" Brick-and-Mortar After Latest Breach?

By Gregg Aamoth, Co-founder, POPcodes — October 08, 2014

A few weeks ago, the Department of Homeland Security revealed malicious software had infected more than 1,000 retailers' point of sale systems, potentially leaking customers' credit card data to hackers. This malware, known as "Backoff," was highlighted again in Home Depot's announcement early last month. With Target's similar "Black POS" breach in the not-so-distant past, these announcements mark strike after strike against already shaky consumer confidence.

How the hacks are happening
Many of today's POS systems are essentially specialized personal computers, capable of a wide range of functions including communicating with the financial systems that process credit and debit card transactions. Hackers, familiar with the inner-workings of the operating systems and utilities commonly used to maintain them, write malicious programs such as Backoff to gain access to the information that flows through the system. The malware takes advantage of remote control functions available in PC-, Apple- and Android-based centralized administration tools to surreptitiously redirect data to hackers' own systems. This data includes the prized credit card information entered via swipe and manually by the cashier.

The risk for Canadian customers, whose banks implemented more secure chip-and-PIN-based credit cards years ago, is relatively low. Unfortunately, most U.S. banks still issue older mag-stripe-based credit cards and most U.S. retailers haven't implemented end-to-end encryption technology at the point of sale. As a result, financial data is unencrypted or "in the clear" for a short – but clearly long enough – time during the authorization process.

How to protect against hacks
The best medicine for malware is to take routine, aggressive, preventative action. If this practice is not already in place, consider updating and running antivirus software on every device that processes transactions as part of the start- and end-of-day routine.

Another method of protection now available is to separate payment-related information from the rest of the retail technology ecosystem entirely. This might sound complicated, expensive or aggressive – and for the largest retailers, it likely is. But considering the constant change in types of attacks and the impact of a breach, retailers can't afford to wait to invest in this type of solution.

Separate sales data from payment information
Any device that captures and redirects unencrypted credit data is – and will always be – at risk of compromise. To be fully secured (at least until hackers break through current encryption methods), every piece of hardware and software in the payment process, starting with the credit card itself, needs to be encrypted. For large brick-and-mortar merchants, encryption requires a massive investment in new hardware and upgraded software.

But the same threat does not extend to e-commerce systems, since nearly all retailers took steps to better protect this credit card data years ago. Data is encrypted when it's first entered into HTTPS-enabled, web-browser-based checkout, and typically stays separated and encrypted throughout the authorization process.

Of course, while consumers love shopping online, not everyone wants to wait for an item to ship to his or her home. In-store pick-up allows customers to purchase on an encrypted site and have the item in-hand that day. It removes hackable cash registers from the equation entirely, letting Backoff-fearing retailers and consumers rest secured.


Gregg Aamoth is the co-founder of POPcodes, a cloud-based retail redemption solution that bridges the gap between the virtual and physical shopping experience. Prior to launching POPcodes Gregg spent more than 20 years in retail and financial systems leadership, including 10 years as vice president of customer marketing systems and privacy officer for Macy's Inc.