Last Sunday, I was enjoying my morning coffee and reading the NY times at the local diner. It was slow and the cash register was in sleep mode, with the Windows XP logo floating across the screen. The diner owner clearly wasn’t concerned about XP end-of-life and no updates/support over the past four months. Tens of thousands of other retailers probably have a similar lack-of-interest in buying new cash registers, which is why the “Backoff” malware – allowing hackers access to credit card data stored on these old devices – is so pervasive and dangerous. This threat goes well beyond Target.
It will take many years before EMV Smart Chip Technology – which stores data on a highly secure chip versus the relatively unprotected magstripe – gets widely deployed amongst both credit card issuers and terminal manufacturers. This is the best solution. In the meantime, when you see the XP logo floating across the cash register at your local store or restaurant, just pay cash and give up the points. Or be willing to check your credit card statement online, every day, for possible identity theft.
Backoff reminds me of the threat vector poised by copiers, or “Multi-Function Devices” (MFD’s), as Xerox likes to call them because they copy, print, scan, fax, etc. MFD’s are not protected by anti-virus or firewalls, and while they are not running XP, sensitive data can theoretically be access by hacking through the fax phone line, network cable connection, and/or over wifi with newer machines. Your internal security team, possibly with some outside help (there are reputable and honest “ethical hackers”), should conduct their own simulated attack and confirm that your confidential information is not at risk.