According to the Australian Federal Police, it would appear that at least half a million credit cards 'down under' have been compromised and funds in excess of AUS $25 million (US $26 million) stolen. Although precise details are still coming in, it would seem likely that nothing more complicated than a bit of simple scanning for point of sale terminals which looked vulnerable was used to locate potential victims in the small retailer market rather than run the greater risk of detection by targeting banks or bigger business. Lessons learned from the Subway caper in the US last year no doubt. Then, credit card processing systems at Subway chains were compromised, and eventually four Romanians were arrested and charged with obtaining millions of Dollars through fraudulent means that involved around 80,000 cards.
With so many small businesses struggling to keep afloat in hard times, it is little wonder that old and frankly quite dated ecommerce carts are still being used instead of being upgraded to less vulnerable alternatives. Couple this with the fact that smaller retail units in the kind of remote, rural areas where victims of this attack in Australia were located, are less likely to either have the necessary knowledge of IT security or the budgets to buy it in that the banks and larger concerns do, and it should come as absolutely no surprise that these targets are being uncovered so easily by the bad guys. When you thrown into the insecurity mix the use of completely useless passwords that allow attackers to hop right into the PoS computers using channels meant for remote tech support duty, and well, the pickings are certainly of the rich variety.
The moral of this story? No matter how small a business you are, no matter how remotely that business is located, if you have embraced ecommerce (and the chances are you wouldn't still be in business otherwise) it is vital that you invest in secure shopping carts even if that means investing money in new software. The cost to your reputation, and therefore your business, if your customers get caught up in a fraud like this will be far greater than the relatively small amount of investment required to keep the hackers at bay.
