Hacked payment card service transmitted some data in plaintext

Charge Anywhere, a company that routes payment transactions between merchants and payment card processors, said that malicious software planted on its network may have accessed unencrypted sensitive cardholder data for almost five years.

In a statement, the company warned that some of the card data it sends or receives appears in plaintext, allowing attackers to copy it and use it in fraudulent transactions. Details including names, account numbers, expiration dates, and verification codes are known to be exposed for transactions that occurred this year from August 17 through September 24, although it's possible transactions dating back to November 5, 2009 may also have been accessed, the statement said. The disclosure came after company officials hired an unidentified security firm to investigate the breach.

"The investigation revealed that an unauthorized person initially gained access to the network and installed sophisticated malware that was then used to create the ability to capture segments of outbound network traffic," the release stated. "Much of the outbound traffic was encrypted. However, the format and method of connection for certain outbound messages enabled the unauthorized person to capture and ultimately then gain access to plain text payment card transaction authorization requests."

In the past few years, criminals have made great strides in bypassing a rich assortment of expensive defenses, as recent breaches at Target, Home Depot, and other large retailers demonstrate. Malware with names such as Chewbacca and Dexter are frequently able to scrape the computer memory of infected point-of-sale terminals, where payment card details are unencrypted. Payment card processors have also been known to be hacked.

The Charge Anywhere advisory is a reminder that the gateways that connect merchants' point-of-sale systems with card processors are also prime candidates for attack. It's surprising to read that some of the card details traversed its network in plaintext. The statement said that the company has eradicated the malware and is working to strengthen its security measures. The statement didn't say if some transactions will continue to include unencrypted data.