This week we have seen two breaches of payment card data reported in 24 hours.
The first regarded Texan clothing retailer Sheplers, who suffered a breach of names, credit and debit card account numbers and expiration dates after payment systems were affected between June 11th and September 4th.
The second revealed that Viator, a partner of travel website TripAdvisor, had customer credit cards used for fraudulent purposes. It warned users who had created a Viator account that their email address, password and Viator “nickname” may be compromised.
In these cases, both companies said that they are working with computer security firms to investigate the incidents, and investigations are ongoing. Match this with the previously reported incidents at Target, Neiman Marcus and Home Depot
It seems to be the case that all of these incidents have come at once, following on from a recent article with Safenet’s Jason Hart as to why we keep making the same mistakes and keep getting things wrong. I asked some key industry minds on why does this keep on occurring, especially when we have seen so many stories relating point of sale (POS) security?
Alex Fidgen, director at MWR Infosecurity, made the point that POS devices are difficult to protect as they have to be exposed publicly, leaving their interfaces open to attack.
“This means that if a criminal group is able to discover a vulnerability in a POS device they will get easy access to a vulnerable interface,” he said.
“Additionally, vulnerabilities are complicated to patch. POS devices are distributed in a large number of locations and are not connected to the public Internet. Patching POS devices can be a lengthy and expensive process leaving devices open to attack for months after a vulnerability has been discovered.”
I guess what we are learning is that a lot of these incidents are in the past, and investigations reveal how much they have lost and how long the compromise had gone on for.
Chris Strand, senior director of compliance for Bit9 + Carbon Black, did not believe that it was a case of security teams not learning from others’ mistakes. In fact it is the opposite as security teams are inundated with responsibilities for security technology, compliance audit and regulatory mandates, as well as supporting the threat perimeter for their organisations’ defences.
He said: “The focus is on working with and interpreting more and more information to determine the organisational threat exposure and security posture. Most organisations, especially retailers and other businesses that process credit card payments are under constant attack. In general, I think most security teams know full well what has happened to ‘the others’, but they do not have the right technology in place to help them manage their broad security responsibilities.”
I asked Strand why retail organisations had failed to take the next step to secure their systems with positive security techniques. He stated that they could easily focus on the business process, illuminate and scope out vast quantities of dat
a, and stop anything from causing harm if it isn’t part of their trust policy in the classic combination of “people, process, technology”.
So surely the headlines are causing the boards to sit up and take notice, and for the shareholders to demand action? Bob West, chief trust officer at CipherCloud, made the point that even if retailers are now aware of POS vulnerabilities, there are so many multiple points of infection and detection that protecting them all is quite a task.
So why are retailers not learning the lessons of others’ mistakes? He said: “In general, many organisations aren’t doing the basics, or only doing some of the basics to protect information. Creating policies and standards is relatively easy, but implementing them is much more difficult and requires a sustained effort”.
“Most companies are reactive and don’t make the right level of investment to protect information until they’ve been impacted by the negative publicity of a breach. It cost more after-the-fact, but sometimes organisations get a false sense of security thinking ‘If we haven’t been breached, why should we make an additional investment?’ Hopefully, the breaches at Target and Home Depot are sending a clear message.”
So security is not easy, we’ll accept that. On the other side, is it the case that the attackers have realised that there is a sensitive vertical, and to coin an over-used term, “gone for the low hanging fruit”?
Fidgen said that sensitive information such as credit card details will always be targeted by attackers and unfortunately, organisations often fail to consider the entirety of their technological estate when securing themselves.
“They focus instead of reducing the risk of attack in traditional, publicly accessible applications and systems,” he said.
“As organisations reduce the risk of a successful attack through their network perimeter, they often fail to consider the true breadth of the attack surface they expose and as such alternative attack vectors are often overlooked. POS devices are a perfect target for cyber criminals as these devices handle sensitive payment information and are connected to critical systems in a retailer’s network.”
Fidgen also said that part of the problem is retailers relying on vendors providing “secure” devices out-of-the-box, and they are failing to adequately protect the network environment in which the devices are placed. “Our research found that many POS devices are not secure out-of-the-box. As such, retailers need to put more emphasis in adequately isolating POS systems within their network.”
Sheplers and Viator are far from the last incidents we will hear about in 2014, and I am confident that things will improve, but that goal may be far off into the future.