Forever 21: Hackers breached payment system for 7 months, no encryption on POS devices

Haythem Elmir

Forever 21 confirmed hackers breached payment system for 7 months, admitted encryption was turned off on some POS devices.

If you shopped in a brick-and-mortar Forever 21 store this year, your credit card information may have been compromised due to the company’s failure to turn on encryption in some of its point-of-sale terminals.

In mid-November, Forever 21 admitted that a third party “suggested” there might have been unauthorized access to payment card data. On December 28, the company revealed more details about the breach without actually saying how many customers were potentially affected or even which stores had the compromised POS devices.

For starters, the investigation into the security incident revealed that hackers had access to customers’ payment card data for up to seven months in 2017 – from April 3 to November 18. Attackers had obtained network access and installed malware meant to harvest credit card data. But the real mind-blower is that encryption was not even turned on in some of Forever 21’s POS devices.

Sure, the company said it implemented encryption technology in 2015; yet the “leading payment technology and security firms” investigating the unauthorized access determined the built-in encryption on some POS devices “was not always on.”

According to newest payment card security incident report, Forever 21 explained that, in addition to the lack of encryption in some of the retail stores’ POS devices, investigators hired in October “found signs of unauthorized network access and installation of malware on some POS devices designed to search for payment card data.”

The malware, Forever 21 said, “searched only for track data read from a payment card as it was being routed through the POS device. In most instances, the malware only found track data that did not have cardholder name – only card number, expiration date, and internal verification code – but occasionally the cardholder name was found.”

To read the original article:

Laisser un commentaire

Next Post

Smartphone sensors can leak the four-digit PIN code to hackers

Smartphones have remained the primary domain of experimentation for cybercriminals as they are always finding out ways to exploit and crack smartphones mainly Android devices. Apparently, researchers at Singapore based Nanyang Technology University or NTU Singapore, have identified a brand new way with which cyber-crooks can compromise a smartphone, which […]