Cash Registers Take Your Money While Stealing Your Identity

idBy Ron Benvenisti for TLS. In addition to taking your cash, Point Of Sale systems are stealing your identity. The Secret Service estimates more than 1,000 businesses have been affected by the same type of cyber-attack that “targeted” Target’s cash register system, stealing information from millions of credit card users at the store, the Department of Homeland Security said in an advisory Friday afternoon.

Thousands of retailers of all sizes have already been compromised and don’t even know it.

Cyber-Criminals are hard at work hacking into businesses’ networks, installing malware (typically called “Backoff”) on their point-of-sale software systems. When you swipe your credit card, the malware records the information and sends it back to the hackers. The hackers sell the data to other criminals on the Internet who then wreak havoc with your credit rating.

According to the advisory, seven point-of-sale system vendors have confirmed that they’ve had multiple clients affected by Backoff. The Department of Homeland Security said that one strain of Backoff has been in use by hackers since last October and was not detected until just this month.

Many businesses don’t have the tools or expertise to monitor let alone circumvent these attacks.

Earlier this week, UPS Stores had at least 50 of its locations hit. 50 locations may not sound like a lot but that amounted to more than 100,000 transactions.

The Department of Homeland Security advises all businesses to be on top of their point-of-sale system vendors’ information technology team and managed service providesr to make sure they are not vulnerable to the Backoff malware. Businesses running the obsolete Windows XP are particularly vulnerable and most systems have not migrated to Windows 7 or 8. Businesses that believe they’ve been Backoff-ed should contact their local Secret Service office.

Offices are located here:



TRENTON 609-989-2008  101 CARNEGIE CENTER PRINCETON, NJ 08540-6231

The number of affected businesses is expected to keep growing and other types of organizations that also use point-of-sale systems, such as hospitals and government bodies, have also been targeted.

Businesses that are not auditing their PCI/DSS compliance or holding their vendors or managed services accountable, in writing, are at risk for civil damages, hefty fines and losing their merchant accounts potentially putting them out of business and into bankruptcy.

This content, and any other content on TLS, may not be republished or reproduced without prior permission from TLS. Copying or reproducing our content is both against the law and against Halacha. To inquire about using our content, including videos or photos, email us at [email protected].

Stay up to date with our news alerts by following us on Twitter, Instagram and Facebook.

**Click here to join over 15,000 receiving our Whatsapp Status updates!**

**Click here to join the official TLS WhatsApp Community!**

Got a news tip? Email us at [email protected], Text 415-857-2667, or WhatsApp 609-661-8668.

Check out the latest on TLS instagram


  1. The PCI Data Security Standard has 12 requirements to provide a baseline of technical and operational requirements designed to protect cardholder data. All business people paste and cut. Here’s the rundown on the basic PCI/DSS requirements:

    They are as follows:

    Build and Maintain a Secure Network and Systems

    1. Install and maintain a firewall configuration to protect cardholder data

    2. Do not use vendor-supplied defaults for system passwords and other security parameters

    Protect Cardholder Data

    3. Protect stored cardholder data

    4. Encrypt transmission of cardholder data across open, public networks

    Maintain a Vulnerability Management Program

    5. Protect all systems against malware and regularly update anti-virus software or programs

    6. Develop and maintain secure systems and applications

    Implement Strong Access Control Measures

    7. Restrict access to cardholder data by business need to know

    8. Identify and authenticate access to system components

    9. Restrict physical access to cardholder data

    Regularly Monitor and Test Networks

    10. Track and monitor all access to network resources and cardholder data

    11. Regularly test security systems and processes

    Maintain an Information Security Policy

    12. Maintain a policy that addresses information security for all personnel

Comments are closed.