Payment Gateway Provider Breached, Plain Text Data Accessed

Payment gateway and mobile payment app provider CHARGE Anywhere disclosed it had been breached and hackers had access to plain text payment card transaction authorization requests.

CHARGE Anywhere, a New Jersey-based developer of payment gateway and mobile payment applications, on Tuesday disclosed that it had been breached and that hackers had access to transactions leaving its network, perhaps going back as far as 2009.

Most of the traffic was encrypted, the company said in its disclosure statement, but some plain text data was stolen between Aug. 17 and Sept. 22. The number of records accessed or stolen was not disclosed.

“The investigation revealed that an unauthorized person initially gained access to the network and installed sophisticated malware that was then used to create the ability to capture segments of outbound network traffic,” CHARGE Anywhere’s statement read. “Much of the outbound traffic was encrypted.  However, the format and method of connection for certain outbound messages enabled the unauthorized person to capture and ultimately then gain access to plain text payment card transaction authorization requests.”

CHARGE Anywhere said the malware has been removed from its network since it was discovered Sept. 22. Evidence of network capture exists, they said, for traffic segments between Aug. 17 and Sept.22, but it’s likely this capability was available to the hackers dating back to Nov. 5, 2009.

The payment authorization requests, CHARGE Anywhere said, may include cardholder name, account number, expiration date and verification code.

“CHARGE Anywhere commenced the investigation that uncovered and shut down the attack after being asked to investigate fraudulent charges that appeared on cards that had been legitimately used at certain merchants,” the company said. “The malware was immediately removed and we engaged a leading computer security firm to investigate how the malware was used and work with us to continue to enhance our network security measures.”

The company’s payment gateways send traffic from point-of-sale terminals and systems to payment processors. Merchant and processor systems, however, were not breached, the company said, adding that it is continuing to route merchant transactions.

Merchant and processor systems, however, were not breached, the company said, adding that it is continuing to route merchant transactions.

“We have also been working with the credit card companies and processors to provide them with a list of merchants and the account numbers for cards used during the period at issue so that the banks that issued those cards can be alerted,” CHARGE Anywhere said. “When banks receive these alerts, they can conduct heightened monitoring of transactions to detect and prevent unauthorized charges.”

The company also set up a page where consumers can search for merchants by name and location to determine if they were affected by the breach.

Retailer security has been headline news since the Target breach a year ago. Security experts and government entities have issued warnings about malware targeting point-of-sale systems and the need to encrypt data. Small retailers and hospitality providers are particularly under the gun because they’re under-resourced and rely on vendors for security. Even large retailers, such as Target, have suffered. Last week, a Minnesota District Court judge ruled Target negligent in its breach, allowing a litany of class-action lawsuits from consumers and financial organizations to proceed.

Suggested articles


  • Scott on

    This angers me. How is a payment gateway even allowed to have any part of their sensitive traffic unencrypted? I'm certainly no expert in this and don't have all the information, but to even be a part of the payment system, shouldn't they be legally required to encrypt everything? Is that not the case? Or did they just not live up to their obligations? I'm not a big government guy, but one of the few things the federal government is obligated to do by the Constitution is to regulate the money supply and "provide for the Punishment of counterfeiting." This goes to the heart of that. Credit cards are a de facto currency and breaches like this that lead to fraud are the equivalent of counterfeiting. Not encrypting this data — in my view — makes them complicit in the fraud. Businesses will usually cut corners if they can, but they need to be held accountable in law as well as in civil courts if that corner cutting leads to this. If they're caught sending sensitive data unencrypted, they should lose their right to be part of the financial system. Period. That's the cost of them doing business.
  • Akee on

    @Scott : A payment gateway is at the end of the communication between the client ant the bank data processing system, i.e. at the end of a crypted session. The machine that receive this traffic, at one point, has to actually do the crypto and have somewhere inside its RAM the unencrypted flow. A malware installed inside a reverse HTTP proxy can go through the RAM and access bits of clear text information for instance. The best you can do is, if you are a gateway but do not process bank data, to trans-cypher your traffic using a HSM. This is really expensive and few are willing to do this.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.