Clothing store chain Eddie Bauer said it has detected and removed malicious software from point-of-sale systems at all of its 350+ stores in North America, and that credit and debit cards used at those stores during the first six months of 2016 may have been compromised in the breach.
IT security experts from ESET, Tripwire and Guidance Software commented below.
Mark James, Security Specialist at ESET:
“POS malware is now so common its becoming almost the “Norm”, the bad guys have learnt that the best place to skim credit card details is from the machines that process them, with so much of our private financial data floating around in the cloud it’s scary to think that people will just casually accept its happened and move on, the usual recompense of 12 months “Complimentary” credit monitoring services is great but what if those details are harvested and sold or used in the future, the impact of credit fraud is not time limited.
Every single person these days with a credit or debit card should be keeping a very close eye on their financial records for any type of suspicious activity, you need to question everything, no matter how small or insignificant the amount is.
There has to be more severe penalties involved in the shortfalls of protecting our private data and much better sharing of information when these attacks do happen, in most cases the data breach is only reacted upon because an outsider has notified them of data found, once identifiable indicators of malware have been found they need to be made available for others to use and check, helping in the defence of our precious data.”
Travis Smith, Senior Security Research Engineer at Tripwire:
“Point of sale malware continues to be an attractive target for cyber criminals. The best advice for retailers is to place any point of sale machine on a segregated network from any other machines with locked down internet access. These machines typically have a handful of internet locations required to process credit card data, if they require any at all. Locking down this communication will reduce the likelihood that malware will be able to successfully ex-filtrate private information to the attacker.
Locking down point of sale networks can be easier said than done. For retail establishments which have one or two point of sale terminals in each store, it didn’t make sense three or four years ago to implement a second costly network segment for one or two devices. Migrating to a segregated network may require hundreds of thousands of dollars in equipment and network redesigns, something retailers may not have an appetite for in today’s competitive marketplace.”
Fortunato Guarino, Solution Consultant EMEA Cybercrime & Data Protection Advisor at Guidance Software:
“Point-of-sale (PoS) malware continues to be a major threat, driving most of the major credit card breaches in the last few years. The breach reported by US clothing retailer Eddie Bauer is the latest in a spate of attacks, following breaches reported at Oracle’s MICROS point-of-sale division and twenty hotels, belonging to the HEI Hotels and Resorts group.
PoS systems are a lucrative target for hackers, and if they are able to infect these systems with malware, they can capture data every time a card is used.
These latest incidents reinforce the importance of strong endpoint detection and response (EDR) tools that can alert an organization of a POS attack and prevent hackers from actually extracting any data. To do this they need to work ‘under the assumption of compromise’, that is, take a proactive approach to tracking down any warning signs of unauthorised or unusual behaviour. POS terminals are endpoints like any other; security teams need to have 360-degree visibility into these systems in order to identify indicators of compromise quickly, so the appropriate response and remediation can happen to prevent or minimise the impact.”