Staples Investigates Breach – Expert Comments

By   ISBuzz Team
Writer , Information Security Buzz | Oct 26, 2014 05:05 pm PST

Earlier this week, Staples announced that it is investigating a potential data breach at several of its northeastern-based stores. Here to comment on this potential breach are a number of experts in the information security field. Leading enterprises including STEALTHbits Technologies and Network Box USA are represented.

John Gunn, VP Corporate Communications, VASCO Data Security:

“This latest breach demonstrates that criminal hacking organizations have much better collaboration and information sharing practices than our major retailers. In the past, mega-breaches were isolated events, but now, with well-developed secondary markets for hacking tools and techniques, multiple hacking organizations can execute similar attacks simultaneously or in rapid succession.

“It is still in the upper echelon, however; the next step for hackers will be targeting thousands of midsize and regional chains.

“The move to EMV will bring many benefits including a reduction in retail credit card fraud and a reduced incentive to attack retail databases of payment information, but we shouldn’t kid ourselves. New attacks will come, and retailers need to band together on an entirely new level to work in a unified manner similar to how their attackers do.”

Kyle Kennedy, CTO, STEALTHbits Technologies:

“It is becoming crystal clear that credit cards and the credit payment system we have today is just not working to protect the consumer when purchasing goods and services. Not a single one of my credit cards contains an embedded chip or forces me to at the time of sale enter a one-time only transaction PIN to confirm the purchase. Retailers are waiting for the card issuers to start producing and sending cards with chips to consumers. The card issuers are waiting on retailers to install equipment that can read the credit cards with embedded chips.

“How many years has the finger pointing by retailers and card issuers occurred, and yet we as consumers accept their behavior?

“I for one love the fact I do not have to go to the ATM or bank daily to acquire cash when I make a purchase; however, it certainly seems it is a significantly easier to steal my credit card and personal information with all the ‘protections’ retailers and credit card issuers have in place today than it is stealing actual cash out of my wallet. If someone from Capital One was to ask me what’s in my wallet, you know what I am saying today and going forward – ‘Cash – that is what’s in my wallet.’ How many more of these major retailer security breaches will it take until everyone starts marching to the same cash-only tune?”

Jonathan Sander, Strategy & Research Officer, STEALTHbits Technologies:

“Bad guys adapt – they moved from the PC to mobile just as quickly as everyone else. Skipping the card swipe moves the battlefield, but it doesn’t end the war with hackers for our data.”

Pierluigi Stella, CTO, Network Box USA:

“I’m not certain retailers can do more, nor am I sure that more is better. Throwing increased hardware and money at the problem isn’t going to solve the issues. ALL companies, not just retailers, need to put security at the center of their business processes. They must adopt a safe behavior at every single stage of their supply chain. They need to educate and impress upon their users to exercise caution when clicking on email links. They need to segment their networks so things don’t spread throughout an entire company like wildfire. This way, a breach, should it happen, won’t affect 150 million customers. Maybe just a handful. And they most definitely require true real-time monitoring because, if 76 million records can escape a Chase network, someone’s definitely not looking!

“It’s close to impossible to prevent all the attacks that are currently present on the Internet, and it’s even more impossible to prevent those that aren’t on the Internet now but definitely will be.

“However, it doesn’t mean that every Trojan will evolve into a major issue for a million customers. If companies invest in real monitoring, segment their networks, train their users and keep a strong security mentality throughout the entire organization, even if things aren’t 100% safe, the major issues we’ve witnessed this year might actually be contained to smaller, manageable fires.”

Mark Bower, VP of Product Management, Voltage Security:

“Perhaps this is another situation where POS (cash register, checkout, refund station, etc.) malware has been pushed down to a few stores during a POS patch to add new features, or software upgrade cycle, resulting in a compromise. This seems to be a possible common thread among recent breaches, enabling attackers to propagate malware to many endpoints, though of course this is speculative based on limited data on this particular scenario.

“The only realistic way merchants can foil malware from stealing the mag stripe data is to avoid live card data arriving into the POS, period. For mag cards, and even EMV cards, this entails encrypting up-stream of the POS using contemporary one-way encryption in a logically and physically secured card reader all the way to the payment processing host, beyond the retail store network. This makes a POS malware attack far more difficult than exploiting a networked POS running a standard OS like Windows. The merchant must totally avoid any card entry such as manual keying, swipe, or EMV chip read directly into retail systems in stores. Such entry points need to be replaced with secure readers for card data capture so only secured data processes through retail IT to the host. Once the card data is secured up to the host, previously stored credit card numbers can be replaced by surrogate tokens which have no attack value. Many merchants deploy tokenization today. However, without securing the initial card read where the most valuable data is exposed, such as highly attractive track data, there’s an exploitable gap with numerous malware variants designed specifically for it.

“If malware gets into the POS and steals track or card data directly in memory, then nothing can be done in the POS to mitigate. Tokenization of card data directly in the POS, which is sometimes suggested as a defense, would not achieve anything and worse, possibly expose an open tokenization interface itself to the attacker which could lead to higher levels of compromise. The current crop of POS malware, like BlackPOS, steals track data as it arrives into memory instantly. Once grabbed, it’s “game over” as the data makes its way out to the malware controllers. Tokenization is only useful when combined with encryption in specially designed card-reading equipment for secure end-to-end data capture to eliminate live data in vulnerable systems.

“It will be interesting to see how this breach unfolds. In all probability, I would hazard a guess it was quite avoidable through contemporary encryption measures. Other large retailers who have suffered major breaches have already shifted gears to adopt such methods, based on years of success with their early-adopter peers who’ve not had a single incident since deployment.”