Will Consumers "Back Off" Brick-and-Mortar After Latest Breach?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://apparel.edgl.com/case-studies/Will-Consumers--Back-Off--Brick-and-Mortar-After-Latest-Breach-95745

A few weeks ago, the Department of Homeland Security revealed malicious
software had infected more than 1,000 retailers' point of sale systems,
potentially leaking customers' credit card data to hackers. This malware,
known as "Backoff," was highlighted again in Home Depot's announcement
early last month. With Target's similar "Black POS" breach in the
not-so-distant past, these announcements mark strike after strike against
already shaky consumer confidence.

How the hacks are happening
Many of today's POS systems are essentially specialized personal computers,
capable of a wide range of functions including communicating with the
financial systems that process credit and debit card transactions. Hackers,
familiar with the inner-workings of the operating systems and utilities
commonly used to maintain them, write malicious programs such as Backoff to
gain access to the information that flows through the system. The malware
takes advantage of remote control functions available in PC-, Apple- and
Android-based centralized administration tools to surreptitiously redirect
data to hackers' own systems. This data includes the prized credit card
information entered via swipe and manually by the cashier.

The risk for Canadian customers, whose banks implemented more secure
chip-and-PIN-based credit cards years ago, is relatively low.
Unfortunately, most U.S. banks still issue older mag-stripe-based credit
cards and most U.S. retailers haven't implemented end-to-end encryption
technology at the point of sale. As a result, financial data is unencrypted
or "in the clear" for a short – but clearly long enough – time during the
authorization process.

How to protect against hacks
The best medicine for malware is to take routine, aggressive, preventative
action. If this practice is not already in place, consider updating and
running antivirus software on every device that processes transactions as
part of the start- and end-of-day routine.

Another method of protection now available is to separate payment-related
information from the rest of the retail technology ecosystem entirely. This
might sound complicated, expensive or aggressive – and for the largest
retailers, it likely is. But considering the constant change in types of
attacks and the impact of a breach, retailers can't afford to wait to
invest in this type of solution.

Separate sales data from payment information
Any device that captures and redirects unencrypted credit data is – and
will always be – at risk of compromise. To be fully secured (at least until
hackers break through current encryption methods), every piece of hardware
and software in the payment process, starting with the credit card itself,
needs to be encrypted. For large brick-and-mortar merchants, encryption
requires a massive investment in new hardware and upgraded software.

But the same threat does not extend to e-commerce systems, since nearly all
retailers took steps to better protect this credit card data years ago.
Data is encrypted when it's first entered into HTTPS-enabled,
web-browser-based checkout, and typically stays separated and encrypted
throughout the authorization process.

Of course, while consumers love shopping online, not everyone wants to wait
for an item to ship to his or her home. In-store pick-up allows customers
to purchase on an encrypted site and have the item in-hand that day. It
removes hackable cash registers from the equation entirely, letting
Backoff-fearing retailers and consumers rest secured.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!