Mobile payments biz Charge Anywhere has admitted a hacker may have been snooping on its systems for FIVE years.
While probing an internal malware infection, Charge Anywhere discovered someone has been able to eavesdrop on its network traffic since November 2009.
That investigation revealed all sorts of sensitive data had been swiped from the global company's compromised computers, included customer names, card numbers, expiration dates and verification codes. Hackers succeeded in defeating Charge Anywhere's encryption before extracting data, as the outfit's statement explains:
Charge Anywhere commenced the investigation that uncovered and shut down the attack after being asked to investigate fraudulent charges that appeared on cards that had been legitimately used at certain merchants. Charge Anywhere’s investigation found malware that had not been previously detected by any anti-virus program. The malware was immediately removed and we engaged a leading computer security firm to investigate how the malware was used and work with us to continue to enhance our network security measures.
The investigation revealed that an unauthorized person initially gained access to the network and installed sophisticated malware that was then used to create the ability to capture segments of outbound network traffic. Much of the outbound traffic was encrypted. However, the format and method of connection for certain outbound messages enabled the unauthorized person to capture and ultimately then gain access to plain text payment card transaction authorization requests.
Charge Anywhere, a New Jersey-headquartered biz that processes payments for mobile apps and websites, says crooks extracted the sensitive data from its computers between August 17 and September 24 this year – although someone had established the ability to sniff parts of its network traffic as far back as 2009:
During the exhaustive investigation, only files containing the segments of captured network traffic from August 17, 2014 through September 24, 2014 were identified. Although we only found evidence of actual network traffic capture for this short time frame, the unauthorized person had the ability to capture network traffic as early as November 5, 2009.
The firm has set up a help page allowing merchants to search an unpublished list of affected traders to find out whether or not they've been hit by the security breach. An FAQ aimed at web hawkers, which essentially advises them to keep calm and carry on as normal, can be found here [PDF].
The infiltration illustrates the importance for payment processors to fully encrypt sensitive data as it traverses their network, as cybercrime-focused investigative journalist Brian Krebs points out. ®