An IT security specialist has revealed he refuses to use debit cards with PINs due to his fear of malware attacks.
Chris Wysopal, co-founder and CTO at application security tester Veracode, made the comments following the revelation that Target retail businesses suffered a data breach in December. And, more recently, it was revealed that the personal details of nearly a third of US adults thought to have been stolen.
As many as 70 million people are believed to have had their phone numbers, email and home addresses taken – almost double the 40 million credit and debit cards initially thought to be affected.
Wysopal said: "I don’t use debit cards with PINs because I fear this type of attack compromising my card and PIN. Customers need to scrutinise their bank statements."
"This was obviously a very sophisticated attack given the timing which is perfect for collecting the most amount of card data in a short period of time."
He surmised that the malware was likely customised for the type of POS terminals Target uses.
He added: "We don’t know yet how the malware got on the terminals. At least part of Targets network must be compromised. For the TJX attack the attackers got in through insecure wireless networks. That’s not likely how they did it here. More likely it was a phishing attack or they got in through an insecure web application."
Sam Maccherola, VP and general manager EMEA/APAC at Guidance Software, thinks Europeans should be reasonably safe from such attacks, though.
He explained: "This attack should not cause undue concern in Europe, where chip and pin is in place. Nor should it cause undue anxiety around online purchasing – the security around your web browser and the credit card processors is strong, well understood and the information sent is usually insufficient to allow a card to be cloned for any other purpose than online use. For this purpose, many credit card issuers now offer single use numbers for online use.
"Much will be learnt from this attack, both by retailers and POS system providers. Hopefully it will result in a more proactive stance in identifying Advanced Persistent Threats using policy lockdowns, baseline deviation analysis and using the operational assumption that their network is already breached."