| 25 September 2014
More and more, we are seeing Point of Sale (POS) data breaches happening in the retail sector and consequently making the headlines. Below, Alex Fidgen, Director at MWR InfoSecurity answers some frequently asked questions on the subject.
Vigilance: Why do POS breaches keep happening; are security teams not learning from others’ mistakes?
Answer: Sensitive information such as credit card details will always be targeted by attackers. Unfortunately, organisations often fail to consider the entirety of their technological estate when securing themselves, focusing instead of reducing the risk of attack in traditional, publicly accessible applications and systems. As organisations reduce the risk of a successful attack through their network perimeter, they often fail to consider the true breadth of the attack surface they expose and as such alternative attack vectors are often overlooked. POS devices are a perfect target for cyber criminals as these devices handle sensitive payment information and are connected to critical systems in a retailer’s network.
POS devices are difficult to protect as they have to be exposed publicly, leaving their interfaces open to attack. This means that if a criminal group is able to discover a vulnerability in a POS device, they will get easy access to a vulnerable interface. Additionally, vulnerabilities are complicated to patch. POS devices are distributed in a large number of locations and are not connected to the public Internet. Patching POS devices can be a lengthy and expensive process, leaving devices open to attack for months after a vulnerability has been discovered.
Most retailers are relying on vendors providing secure devices out-of-the-box and are failing to adequately protect the network environment in which the devices are placed. As our research shows, many POS devices are not secure out-of-the-box. As such, retailers need to put more emphasis in adequately isolating POS systems within their network.
Vigilance: Are bigger retail chains like Target and Home Depot more likely targets?
Answer: Not necessarily. Breaches like the one recently with Texan outfitter, Sheplers, show that any retailer can be open to attack. Bigger retailers will always be a more interesting target due to the greater number of transactions that they handle, this creates the potential for compromising a larger amount of sensitive information. However, cyber criminals will try to maximise their return on investment by compromising as many retailers as possible with the same vulnerability. As larger retailers become better protected, it is likely they will start to focus on smaller ones.
Vigilance: How do these cases impact the brands that experience a breach?
Answer: These kinds of attacks often affect public confidence in the brand over the short term. Target, for example, managed to recover from its breach; however, those in charge at the time of the breach lost or resigned from their jobs.
As public confidence reduces, it can be expected that this will have negative effects on their brand. Clear demonstration that they are handling this incident transparently and effectively will help them to not only recover but avoid such incidents in the future. It has just come to light that Home Depot knew that security was poor amongst the staff, the affects of these revelations remain to be seen.