It has been reported that fashion retailer, Forever 21, has announced that there had been unauthorised access to data from payment cards used at some of its stores. The California based company said the breach was focused on transactions made at its stores between March and October this year. Forever 21 said only certain point of sale devices in certain stores were affected when the encryption on those devices was not operating. IT security experts are commented below.
Robert Capps, Authentication Strategist and Vice President at NuData Security:
“In an effort to make transactions for consumers as simple as possible, retailers like Forever 21 often subcontract third-party suppliers. Those organisations, in turn, hire other companies creating a long chain of providers that handle sensitive data. Therein lies the opportunity for situations such as this where credit card information is potentially exposed somewhere along the chain. It is this chain that is scrutinised by hackers to probe for any way in to grab personally identifiable information (PII), so they can ultimately use the credit cards and accounts for fraud.
“Back in 2015, Forever 21 made an effort to secure their clients’ personal data through encryption and token-based authentication methods. This measure has reduced the impact of this potential breach – still under investigation. However, this higher-security system was still not implemented in some point of sale (PoS) devices, putting those clients’ information at risk. We are glad to see companies enhancing their security, but they should also be diligent and implement those new technologies across all placements. Forever 21 is the example of what happens when you fail to do so: hackers are attracted to your security gaps like bees to a honeypot.
“There is also the question of why the personally identifiable information (PII) hackers steal is still enough to make fake transactions or purchases. If retailers include a layer of dynamic verification technologies such as behavioural biometrics, they will not need to rely solely on the customer’s static data to verify them, and this stolen information will become useless for hackers. Companies should use a fully integrated multi-layered security approach – so if a verification vector fails there are other layers to trust – that includes passive biometrics. Retailers need to identify customers by including their online behaviour combined with hundreds of other identifiers that hackers can’t imitate or steal. Retailers should also take the time to assess all their security systems and potential gaps before the holiday rush.”
Craig Stewart, VP EMEA at Venafi:
“Details on the attack are still patchy, but we know that the breach took place when encryption wasn’t applied to Forever 21’s point-of-sale systems. It’s an unfortunate reality of today’s sensitive security environment, but ensuring that traffic carrying sensitive data is encrypted is absolutely essential, particularly when it’s customer financial information. The next step should be making sure encryption is implemented across the entire organisation and, crucially, that once this is done IT retains control and visibility over all of the machine identities that are in use. Anything less is just re-arranging deck-chairs on the Titanic as hackers will just shift their focus and attack through encrypted traffic instead. The good news is that many of these problems can be solved by automation, ensuring that no store is ever left without secure encryption again.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.