2013 was a difficult year for several large U.S. “Big Box” retailers which experienced major data breaches at the hands of cybercriminals. These well-publicized breaches included those among the largest in history. These now infamous “Black Friday Hacks” caused these companies to suffer significant economic losses, including remediation, defending class action lawsuits and fighting off the FTC and States Attorneys General. In addition, there is the unquantifiable damage to the companies’ brands and reputations.
The type of cybercrime experienced by these retailers has been a reality for nearly a decade. For example, in 2005 cybercriminals stole 90 million records from TJ Maxx after infiltrating its servers and hiding on the system for more than two years. From the point of attack until detection, these hackers were able to harvest a host of customer data including account information, customer names and addresses, driver’s license numbers, and payment card data. Some estimates put the overall economic loss associated with this massive breach at $4.5 billion.
Cybersecurity experts agree that the retail industry should expect the current attack trend to continue as Big Box retailers are a cybercrime gold mine, because of the massive number of customers doing business with these stores on a daily basis. Moreover, point-of-sale systems used to process credit card payments, have inherent vulnerabilities. Hacks of these systems are relatively unsophisticated. POS systems are, in essence, computers equipped with card readers and keypads. These computers have standard operating systems, like Windows, and carry out their credit card reading and billing functions by way of cash register software. If everything works as expected, the customer swipes his card in the reader, which then reads the magnetic strip on the back of the card. This strip contains billing information, including the card number, the card holder’s related customer number, and the card expiration date. This information is then transmitted to the payment processing provider.
Unfortunately, during this process there is a weak security link. After the data is scanned and collected by the reader, it is stored on the point-of-sale system’s random access memory in clear text before transfer to the payment processor. In this form, it is vulnerable to any malware on the system designed to capture this unencrypted information. Although the information is encrypted before an external transfer to the payment processor, it is too late: the malware sitting on the point-of-sale system has already collected the critical customer information.
In more than one of these breaches, it appears that the cybercriminals carried out a typical two-pronged point-of-sale attack. First, they installed random access memory scrapers on point-of-sale machines. Second, they used stolen vendor credentials to gain entry into point-of-sale systems to install the malware responsible for collecting customer credit card data.
Experts recommend that retailers minimize their breach risks by taking a proactive approach to point-of-sale system protection, including:
- Frequent changes of point-of-sale system administrative passwords;
- Protecting point-of-sale systems with a firewall or access control list for remote access and administrative services;
- Prohibiting or limiting the use of point-of-sale systems for browsing the web;
- Using Payment Card Industry Data Security Standard compliant point-of-sale systems and related applications; and
- Properly monitoring and protecting public-facing web assets.
Retailers must be constantly vigilant with protecting and monitoring their point-of-sale systems. Those who don’t keep their guard up are likely to be the subject of the next big data breach headlines.