Backoff Malware Likely Cause of Suspected Home Depot Data Breach - Page 2

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

I've experienced such authentication calls from American Express when I've made purchases where something is unusual, such as when I'm in a country where I haven't used a credit card before. They're usually brief, but they're effective.

The problem is, calling every customer about every transaction is impossible. There are simply too many credit card transactions happening, which is why card issuers target card use where something looks unusual, such as the same card being used in two places at about the same time.

There's little question that widespread EMV use in the U.S. would reduce the severity of such breaches, but it wouldn't eliminate them. "EMV technology, if used widespread, could potentially reduce the amount of damage by denying criminals the ability to use copied cards at POS terminals," said Adam Kujawa, head of malware intelligence at Malwarebytes Labs, in an e-mail to eWEEK, "as long as those terminals were set up to use EMV technology."

"If EMV technology was required and utilized by the whole of the population and traditional mag-stripe cards were no longer accepted, then it would put a serious wrench in the gears of the cyber-criminals plans," Kujawa noted.

In fact, it may be the success of such secure payment cards elsewhere that's contributing to the flurry of attacks in the U.S., Zurawski said. "Chip and pin in Europe may be why you see so many attacks in U.S.," he said.

While the use of chip and PIN technology in Europe and Asia have dramatically reduced the levels of credit card fraud where cards are physically present, fraud in other areas, such as in online and telephone purchases has not diminished.

Unfortunately, even in situations where secure payments are proven to work, banks are slow to implement any improvements. "The banks still worry about putting friction in front of transactions," Zurawski said. But he doesn't think this should slow down a move to better authentication. "I think the average consumer is getting tired of worrying about the breaches," he said.

Zurawski said that right now, following the announcement by the Department of Homeland Security that as many as 1,000 U.S. businesses may have been compromised by malware, security executives should be concerned. "If I were the CISO or CEI or CIO, I would be all over my people right now to make sure we're not breached," he said.

So now we're back to Home Depot and whether the company suffered a breach. The good news is that apparently managers were on top of events and got the word out early. Hopefully, the bad news won't get much worse.

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...