Mobile payments provider reveals malware attack on credit card data

By Erin Ayers on December 9, 2014

target-credit-card-thefts-a-cue-to-review-cyber-coverage-terms-200x200-150x150CHARGE Anywhere, LLC, a provider of mobile payments services for merchants, revealed it had been the target of a “sophisticated” malware attack that resulted in the theft of payment card data, possibly dating back to 2009.

In a statement, the firm said, “CHARGE Anywhere commenced the investigation that uncovered and shut down the attack after being asked to investigate fraudulent charges that appeared on cards that had been legitimately used at certain merchants. CHARGE Anywhere’s investigation found malware that had not been previously detected by any anti-virus program. The malware was immediately removed and we engaged a leading computer security firm to investigate how the malware was used and work with us to continue to enhance our network security measures.”

The New Jersey-based firm added, “The investigation revealed that an unauthorized person initially gained access to the network and installed sophisticated malware that was then used to create the ability to capture segments of outbound network traffic. Much of the outbound traffic was encrypted. However, the format and method of connection for certain outbound messages enabled the unauthorized person to capture and ultimately then gain access to plain text payment card transaction authorization requests.”

CHARGE Anywhere discovered the malware on its system on Sept. 22; the company said the attack has been fully investigated and shut down. It appeared only network data between August 17 and Sept. 24 had been compromised, but CHARGE Anywhere acknowledged, “Although we only found evidence of actual network traffic capture for this short time frame, the unauthorized person had the ability to capture network traffic as early as November 5, 2009.”

CHARGE Anywhere offered consumers advice for monitoring their credit and accounts for unauthorized transactions. The company provided a searchable list of affected businesses, but “an exact business name match” is required for the search. This likely means that merchants who contract with CHARGE Anywhere for payment processing services will need to verify that their businesses could have been affected and then alert their own customers.

erin.ayers@zywave.com'

Erin is the managing editor of Advisen’s Front Page News. She has been covering property-casualty insurance since 2000. Previously, Erin served as editor-in-chief of The Standard, New England’s Insurance Weekly. Erin is based in Boston, Mass. Contact Erin at [email protected].