In 2007 T.J. Maxx was hacked, and the news spread far and wide. It was declared the largest hack ever with data having been stolen from more than 45 million credit and debit cards. Many people leery of exposing their credit card information to the online shopping boom were surprised to find that shopping in the physical world could be just as dangerous. Six years later point of sale hacks continue – Subway being the most notable of late – but now they’re commonplace.
“Breaches used to be big news, and today they’re just industry news as opposed to national news,” said Robert Siciliano, a spokesperson for McAfee and an online security expert.
DDoS attacks, espionage, cyberwar – those are the media darlings. A restaurant with 30 employees getting their customers’ credit information swiped isn’t sexy, but that doesn’t make it any less important. Those types of attacks remain as a major threat of the digital world. Just take a look at Verizon’s 2013 Data Breach Investigations Report:
When physical attacks like ATM skimming are removed from the sample, retail sits at the top of their study. Not surprisingly, nearly all of attacks are financially motivated.
“Those tend to be localized in retail, hospitality and food service,” said Nathan McNeill, co-founder and chief strategy officer for Bomgar. “On a black market getting a credit card number is going to be much more valuable to any type of hacker than trying to break into a bank vault, you know, virtually. It’s just a lot easier task as well. I think the reason you see a lot of retail establishments being targeted is because 1) they don’t tend to have as strong of security measures in place and 2) they have a lot of credit card numbers. And so it’s a good combination if you’re a hacker. Those tend to be the majority of the attacks.”
“It continues to be obviously a hugely important area because of the nature of the data being stored,” said Robert Scott, managing partner of Scott & Scott, LLP. “PCI compliance is a big drive there. If you fail to comply with that you can lose your right to be a merchant and accept credit cards. So there definitely is a lot of focus around point of sale and PCI compliance related to that.”
And that’s supposed to be the answer, isn’t it? This minimally expected security that consumers tend to believe all businesses are meeting and that those in the know realize hardly any business is actually living up to. Some don’t believe in PCI. They say it’s too weak, too expensive and only serves to create a false sense of security. In 2011 only 21 percent of organizations were fully complaint at the time of their Initial Report on Compliance. For many businesses, it is a goal and an important one, but in the service industry, it often gets bumped down on the list of priorities.
“Most of the time where you see a major breach you also see an underlying violation of the PCI standards,” Scott said.
“I’ve seen numerous studies that showed that many companies that are supposed to comply with PCI don’t, and that’s because a lot of businesses don’t think it can happen to them,” Siciliano said. “Payment Card Industry standards are generally, you know, minimum standards meaning that there’s still a lot more that can be done and a lot more should be done, which is why we often see breaches. They continue unabated.”
But McNeill stops short of calling it negligence.
“Negligence is a strong word, and I think whenever you get a strong word like that it often means there’s a continuum in place between sort of gross negligence, where someone really didn’t do their job and ignored something completely obvious, all the way down to just sort of missing a few small signs that if picked up would have prevented the breach,” McNeill said. “You may have been addressing five or ten other areas but just didn’t quite get to the sixth or seventh one. So you’ve missed a few of the signs that could have led you to prevent the breach.”
Poor practices, easy targets
From Verizon’s security report: “Small retailers and restaurants in the Americas should be focusing on the basics because attackers are leveraging poorly configured remote administration services to pull payment data from point of sale systems.”
That’s the key. Argue all you want about PCI standards and what should be done, but many businesses are essentially leaving the keys in the ignition and then wondering why the thugs drove off with their car. Just look at this chart from the 2012 Accommodation and Food Services Snapshot:
If you run a business what does this all mean? It means the bad guys are getting into your system and installing malware to steal your credit card information, and they’re doing it because 59 percent of the time whoever set up the system either left the password at the default setting or made one up that was easy enough to guess. It doesn’t take a genius level computer hacker to get into that system. Hell, you’re practically leaving the door open and the money on the counter. That’s why point of sale systems are targets. They’re everywhere. They’re full of information hackers want, and, oftentimes, they’re quite easy to get into.
You’d think the potentially disastrous consequences would be enough to kick businesses into at least meeting the minimal security expectations – especially small businesses where a data breach could scare off customers and lead to financial ruin.
“If I go to a gas station and I’m using the POS at a gas station and then I’m suddenly a victim of identity theft that’s a result of that POS system, next time I’m going to drive past that gas station and go to a different one,” Scott said. “That to me is the biggest risk, this privacy-trust risk, where people are going to do business with companies they feel they can trust, that it’s safe. Businesses that are not doing a good job of protecting information or for whatever reason become a victim of that type of situation may face a really significant loss of customers, as well as the potential to lose their merchant status, as well as in the area of PCI a lot of people are saying if you didn’t comply with PCI that means you were negligent and therefore legally responsible for all of the losses associated with a breach of that type.”
So what should you do?
“Lets say you’ve done everything right. You’ve secured the architecture. You’ve provided a strong authentication mechanism. You’ve fine grained their access privileges so they only have the level of privileges they require to do their jobs. Still, you need some way to have a thorough audit trail of everything that’s happened, because you may have someone who has legitimate access but he’s doing illegitimate activity. Or you may have somehow had an outside party who’s gained access to a legitimate channel. You still need to be able to see what’s happening through that channel, and so the audit trail must be thorough as well.”
Those four things, says McNeill, can go a long way towards making sure your data is secure.
But the studies come in year after year, and many businesses just aren’t taking that next step. They continue to think it won’t happen to them, or they continue to think it’s not a priority. They lock up the physical doors at night and head home, not realizing the digital door is sitting there – unlocked – just waiting to be pushed open.