Last week, supermarket chain Supervalu reported a data breach at least 200 of its stores, with the possibility of 1,000 stores having been affected in total. Here to comment on the incident are a number of information security experts, all of whom work at Proximity, Voltage Security, (ISC)2, and other leading companies in the field.
W. Hord Tipton, CISSP | Executive Director, (ISC)2:
“Once again, we see the consequences of retailers failing to adopt more serious security controls into their POS systems. Incorporating chip and pin technology into POS systems is one of the strongest measures retailers can take to protect their customers. Unfortunately, without mass adoption, retailers will continue to deal with the fallout associated with losing valuable customer information, further weakening public trust in their willingness to participate in credit and debit card transactions. All Supervalu customers should be proactive and ensure that all of their account alerts are activated, while also monitoring their accounts for fraudulent charges.”
Philip Lieberman, President, Lieberman Software:
“This is another example of an incompetent retail CEO incapable of providing the necessary leadership to secure their organization. Just as the CEO must manage his staff and assets, the CEO is responsible for protecting the security of his network and his customers. As in the Target case, the board should fire both the CEO and the senior IT management that allowed this to occur for gross negligence. Technology and processes exist to eliminate this class of problem, but the CEO chose not to or could not implement them due to lack of knowledge or will. In any case, termination would be an appropriate outcome to send a message to other CEOs that IT security is the responsibility of the CEO.”
Jonathan Sander, Strategy & Research Officer, STEALTHbits Technologies:
“The most interesting thing about the increased pace of significant breaches in the news isn’t the breaches but rather the reporting. The number of things getting hacked hasn’t increased; the number of reports about it has. Some of that is due to stricter guidelines from state and other government bodies on notification. But a lot of it is safety in numbers. Since they know the truth will be let out anyway, it’s better to get ahead of it. And with all these organizations reporting, it’s less toxic to be on the list. Who knows – maybe we’re reaching a point where you haven’t ‘arrived’ until you’ve had a major data breach.”Pierluigi Stella, Chief Technology Officer, Network Box USA:
“And again, another story about a POS compromised and CC data stolen. One has to wonder just how many more are out there that we’ll never hear about.
We always knew that POS were vulnerable and inherently weak. It was merely a matter of time before this issue exploded. Honestly? At this point, it’s much safe to infer that no POS is really safe. This begs the question – how are hackers able to infect these systems?
I’m imagining being at a store, waiting in the checkout line. The POS is a MS Windows system, but it only runs the POS application; usually nothing else is to be done on it. No email, no web access. So, theoretically, no malware should be downloaded on that machine. And yet, that is often precisely the case.
The Dexter Trojan, for example, parses memory dumps for specific POS software, looking for Track 1 and Track 2 CC data, meaning the Trojan must be installed on the POS. What’s going on in those networks that allows hackers to install malware on a POS? When you investigate these situations, you usually end up finding some sort of weak access protection somewhere on the network, i.e., things like remote desktop access open to the internet. This allows access to another computer on the network, which hackers can use to push the malware to the POS.
Another possibility is open wireless access which isn’t properly segregated from the POS network.
Although PCI DSS clearly specifies the criteria to be followed when setting up a wireless network within a retail store and distinguishes between “in scope” and “out of scope” (out of scope meaning that there’s absolutely no link between the POS network and the wireless network), I can only surmise from all these attacks that such criteria isn’t always adhered to.
Malware writers are very inventive in the way they distribute their code, but not all hope is lost. There are ways to keep them out.
Companies must think in very strict security terms at all times. By this, I don’t mean just installing an AV on the POS. Opening up RDP to the internet, for example, exposes your MS accounts to a hacker, who has all the time and tools he needs to find your weakest password and get in. Once he’s in, there’s absolutely no telling what damage he can cause. He doesn’t even need to compromise the POS themselves; a variant of Dexter called Stardust will “sniff” CC data in a network without the need to be installed on the POS.
The real way to protect a POS is to ensure that the POS network is truly separated from the rest of the network in every physical and logical way possible. Otherwise, the compromising of any single computer can become a great danger to the entire network and allow the deployment of POS Trojans.”
Mark Bower, VP Product Management and Solutions Architecture, Voltage Security:
“By now, every retailer is aware of the risks of malware in POS systems, the impact of infection, and the simple fact that PCI compliance doesn’t equate to mitigating advanced threats that no doubt ‘stole the gold’ in this case. The only way to neutralize this risk is to avoid any sensitive data passing in and through the vulnerable POS or retail IT. Hundreds of thousands of merchants already do this today with proven approaches using the latest innovations in data-centric security and are able to brush off such attacks like water off a duck’s back. These risks are totally avoidable – and at a fraction of the cost of the fallout from dealing with the consequences.”
Carmine Clementelli, Network Security Expert, PFU Systems, a Fujitsu company:
“Protecting valuable network data such as account numbers, payment cards information and, in some other cases, credit card information is becoming an increasingly common problem for businesses. Modern security practices must include a preventative approach with technologies that provide discovery and management of all the endpoints on the network in order to prevent access from unwanted intruders. Moreover when businesses are specifically targeted by increasingly sophisticated cyber-attacks like advanced persistent threats (APTs), new levels of security intelligence are required. APT attacks can use a variety of techniques to gain access to a specific target. Cyber attackers, through remotely controlled operations that are disguised in the flow of ordinary network communications, are able to carry out activities for long periods of time from outside the network. This makes it difficult to discover the problem at the exit points of the networks or on the endpoints. Today a multi-layer defense is required, with the combination of solutions that can detect malicious activities not only at the Internet edge but especially inside the company’s networks. These internal network technologies must be able to analyze relationships between multiple communications both from outside and within the network.”
Richard Blech, CEO, Proximity:
“The continuation of data breaches at the retail or POS level is becoming the favored target for hackers and thieves and these breaches are at epidemic proportions. A key solution to this problem at the POS or retail IT level is not to avoid any sensitive data passing through these systems but rather having that data process encrypted, thereby rendering said data completely useless when compromised to the data thief. Part of this encryption process is at the hardware level and not just at the POS software level.”