Retailers are putting their customers’ credit card details at the mercy of computer hackers because they have failed to upgrade an obsolete version of the Windows operating system on their machines, a leading online security researcher has warned.
A significant number of stores continue to run Windows XP even though Microsoft stopped providing security updates for the software almost nine months ago, James Lyne, the head of research at Sophos, said.
Windows XP, which was released in 2001, was one of the most popular operating systems in the world and many companies built their computer networks around it. However, Microsoft said last April that it would stop providing software updates for XP in order to concentrate on developing new software instead. When operating systems stop receiving security updates, they become more vulnerable to new types of cyberattack.
“Most retailers in the UK are either completely unprepared or unaware of the danger,” Mr Lyne said. “Or, they are over-confident. For a very small amount of money, it is possible to get your hands on kit that can wreak havoc in their systems. And, because XP is not being updated, it is way easier to infect with malware.”
Mr Lyne demonstrated how to perform a hacking attack on Windows XP that was able to extract a string of credit card details in less than a minute. He set up a website, reallysaferetail.com, for which he bought an SSL [Secure Socket Layer] security certificate for £30 online. These certificates activate a padlock icon that appears next to the address bar on a web browser, indicating to a user that their connection is secure.
From a cloud computing service based in Ireland, he first infected the Windows XP system with malware, or malicious software, by exploiting one of its security holes. He then instructed the malware to download everything that was held on the computer’s memory in what is known as a RAM [random-access memory] scraper attack, something that is very difficult to detect. Mr Lyne was then able to search for credit card numbers in the downloaded file.
He said that it was was also possible to attack non-Windows XP machines, although it was far harder to carry out the initial infection with malware.