CONTINUE TO SITE »
or wait 15 seconds

News

PCI SSC issues bulletin on 'Backoff' malware threat

Though Backoff is known only to have infected POS systems, the program logs PINs from debit card transactions that can be paired with track data for use at ATMs.

August 27, 2014

Following on an advisory by the U.S. Secret Service and Department of Homeland Security about "Backoff" malware, the PCI Security Standards Council has made a number of recommendations applicable to organizations in the payments environment.

Though Backoff is known only to have infected POS systems (about 1,000 of them nationwide, Feds say), the program includes keylogging functionality. This means that criminals can retrieve PINs from debit card transactions and pair them with track data on counterfeit cards to be used at ATMs.

The malware, which has been active since at least October 2013, has already resulted in the compromise of large amounts of cardholder data and the transmission of this information to criminal organizations.

The PCI Council is encouraging organizations "as a matter of urgency" to consider the following recommendations:

  • contact your provider of antivirus solutions and ensure you have the most recent and up to date version of antivirus software that will detect “Backoff” and other similar malware;
  • run this solution immediately;
  • review all system logs for any strange or unexplained activity, especially large data files being sent to unknown locations; and
  • require all default and staff passwords on systems and applications to be updated. Provide good guidance on choosing a secure password (see PCI Data Security Standard Requirements 2,8).

Should systems be found to be infected or unusual activity suspected, organizations should contact their acquiring bank immediately, PCI SSC said.

The council also advised that organizations review techniques for maintaining a secure terminal environment, and monitoring and managing access to systems:

Regarding malware specifically, organizations should review the following security risk mitigating control areas outlined in PCI Data Security Standard 3.0:
  • proper firewall configuration — requirement 1;
  • changing vendor defaults and passwords on devices and systems — requirement 2;
  • regularly updating antivirus protections — requirement 5;
  • patching systems — requirement 6;
  • limiting access and privileges to systems — requirements 7, 9;
  • requiring 2-factor authentication and complex passwords — requirement 8;
  • inspection of POS devices — requirement 9;
  • monitoring systems to allow for quick detection — requirements 10, 11;
  • implementing sound security policies for preventing intrusions that may allow malware to be injected — requirement 12; and
  • managing third-party access to devices and systems, and specifically remote access from outside a merchant’s network — requirements 8, 12.
Attacks of this kind underscore the critical importance of a multilayered approach to payment card security that addresses people, process and technology.

Related Media

Security
Examining biggest ATM security issues and 4 strategies to prevent them
Security
Banking privacy: 5 benefits for banks, customers
Security
Protecting an ATM's hardware, software by slowing down criminals
On-Demand Webinar
A Masterclass in ATM Security: Global Best Practices and Trends
Presented by Diebold Nixdorf
Recent Posts
Nymeo Federal Credit Union wins recognition as 1 of the best workplaces in Maryland
ParaScript intros verification solution for checks
SEC accuses former ATM businessman Daryl Heller of funneling $185M from investors
Fifth Third named as top veteran friendly employer
DC AG sues Bitcoin ATM operator Athena Bitcoin for allegedly exploiting scam victims


©2025 Networld Media Group, LLC. All rights reserved.
b'S1-NEW'