PCI Security Standards Council (PCI SSC) and the Brazilian Association of Credit Card and Services Companies (ABECS) talk about the threat of malware attacks in Brazil and the larger global payment environment and share guidance and information on protecting against them.
What is the current state of malware attacks in Brazil?
Carlos Caetano: Malware is being used to steal financial information from Brazilians. The malicious code was recorded across Latin America with a focus on users of Brazilian banks. Named Vadokrist, the Trojan horse can control the actions of the mouse, produce prints and even restart the machine system. The Trojan is spread via spam messages that contain executable files that install the software and open a security hole in the computer.
Brazil is the country hardest hit by ransomware attacks across Latin America. Of the more than 5,000 such scams that happen every day in the region, 46.6% are registered in Brazil, which also places us among the most targeted territories in the world. Older threats, such as WannaCry, continue to endure in Brazil due to regional peculiarities.
Numbers released by Kaspersky, a company specializing in digital security, puts Brazil with more than twice the attack rate of the runner-up. Brazil ranked first in attacks followed by Mexico and Colombia.
What are malware attacks?
Carlos Caetano: A malware attack is when hackers use malicious software code called malware (also called viruses) to break into computer systems and steal payment data. These attacks are often difficult to detect and can cause significant damage to a business. Understanding this type of attack is critical to protecting payment data.
So how exactly do these attacks work?
Carlos Caetano: Criminal hackers often target vulnerable businesses and imbed software code or viruses into a computer system by exploiting weak or default passwords, outdated anti-virus software, unencrypted data, or via a 3rd party vendor with weak security controls. Once a hacker has penetrated a payment system with malware, they can do things like sell your information on the black market, make fraudulent online purchases, or create clone credit cards.
What businesses are at risk of this devious attack?
Daniel Marchetti: From local family-owned businesses to Fortune 100 corporations, no business is immune to this type of attack. With more and more transactions moving to e-commerce, these threats are on the rise and require renewed attention and vigilance. The damage these types of attacks can have could be devastating to a business including the loss of consumer confidence, damage to your brand image, and loss of revenue. For consumers, they can be negatively impacted with fraudulent charges that damage their credit score.
Carlos Caetano: A recent industry report on malware found that many malware attacks are being distributed via conventional email, which convinces victims to download an update from a remote server – one that is controlled by criminals. Victims tend to be traditional stores, such as gas stations, supermarkets and typical retail outlets. The victims were from all across Brazil which further highlights that all business types are at risk of this attack.
What can businesses do to better protect themselves from these attacks in the first place?
Daniel Marchetti: Businesses need to be aware that that these threats are lurking and need to make security an everyday priority. That is a good first step – recognize the potential threat and make a plan to defend yourself from it and stay vigilant about security.
Carlos Caetano: There are several, quick, easy steps that a business can do right now to help guard against these attacks. They include:
- Use the latest anti-virus software and keep patches up-to-date
- Update all default and staff passwords with secure passwords
- Manage how and when your vendors can access your systems. Only allow remote access when necessary, and enforce the use of multi-factor authentication
- Confirm that all third-party vendors are properly implementing and maintaining security controls outlined in the PCI Data Security Standards (DSS)
- Confirm that third party software security vendors are following the PCI SSC’s Software Security Framework (SSF)
- Devalue the data – talk to your acquirer to understand how their solutions can devalue the payment card data on your payment system, such as with Point-to-Point Encryption (P2PE).
Are there additional resources, where I can get more information about malware attacks and security?
Daniel Marchetti: You can find some guides to good security and fraud prevention practices on the Abecs website (www.abecs.org.br). These materials provide a variety of important information and recommendations for business managers, web developers and IT professionals working in e-commerce.
Carlos Caetano: The PCI SSC has several resources that deal with this topic and have just recently released two standards on the important topic of software security. For more information visit the PCI SSC webpage at: