Sopra Steria finds UK citizens want more secu... » London: Sopra Steria has revealed that UK citizens are keener than ever to use digital public servic... World’s top education experts to answer key q... » Education experts, Edtech entrepreneurs and an assortment of thinkers, analysts and administrators f... HAUD gives more value through its Traffic Audit ... » Singapore: HAUD has now established itself as a market leading SMS firewall provider, and through ex... 365squared launches 365analytics » Macau, China: 365squared introduced 365analytics to its portfolio of services. 365analytics is a rea... Checkpoint Systems deploys its EAS Solutions at ... » Checkpoint Systems has announced its partnership in implementing EAS pedestals and deactivation syst... Evander Direct wins commendation for uPVC window... » Evander Direct have been commended for their innovative uPVC cleaning process that dramatically help... Electrical Industries Charity to benefit from pr... » Thousands of pounds are set to be raised for good causes in the electrotechnical industry at the upc... Secure I.T. Environments achieves new internatio... » Data Centre World, London: Secure I.T. Environments Ltd has announced that it has achieved new inter... OKI upgrades wide format with new Teriostar Multif... » Egham: OKI Europe Ltd has launched two new wide format Teriostar multifunction printers designed to ... BSIA members push aggressively for cyber-security ... » BSIA members have pledged to lead the way in cyber-security education, Vigilance can report.


More and more, we are seeing Point of Sale (POS) data breaches happening in the retail sector and consequently making the headlines. Below, Alex Fidgen, Director at MWR InfoSecurity answers some frequently asked questions on the subject.

Vigilance: Why do POS breaches keep happening; are security teams not learning from others’ mistakes?

Answer: Sensitive information such as credit card details will always be targeted by attackers. Unfortunately, organisations often fail to consider the entirety of their technological estate when securing themselves, focusing instead of reducing the risk of attack in traditional, publicly accessible applications and systems. As organisations reduce the risk of a successful attack through their network perimeter, they often fail to consider the true breadth of the attack surface they expose and as such alternative attack vectors are often overlooked. POS devices are a perfect target for cyber criminals as these devices handle sensitive payment information and are connected to critical systems in a retailer’s network.

POS devices are difficult to protect as they have to be exposed publicly, leaving their interfaces open to attack. This means that if a criminal group is able to discover a vulnerability in a POS device, they will get easy access to a vulnerable interface. Additionally, vulnerabilities are complicated to patch. POS devices are distributed in a large number of locations and are not connected to the public Internet. Patching POS devices can be a lengthy and expensive process, leaving devices open to attack for months after a vulnerability has been discovered.

Most retailers are relying on vendors providing secure devices out-of-the-box and are failing to adequately protect the network environment in which the devices are placed. As our research shows, many POS devices are not secure out-of-the-box. As such, retailers need to put more emphasis in adequately isolating POS systems within their network.

Vigilance: Are bigger retail chains like Target and Home Depot more likely targets?

Answer: Not necessarily. Breaches like the one recently with Texan outfitter, Sheplers, show that any retailer can be open to attack. Bigger retailers will always be a more interesting target due to the greater number of transactions that they handle, this creates the potential for compromising a larger amount of sensitive information. However, cyber criminals will try to maximise their return on investment by compromising as many retailers as possible with the same vulnerability. As larger retailers become better protected, it is likely they will start to focus on smaller ones.

Vigilance: How do these cases impact the brands that experience a breach?

Answer: These kinds of attacks often affect public confidence in the brand over the short term. Target, for example, managed to recover from its breach; however, those in charge at the time of the breach lost or resigned from their jobs.

As public confidence reduces, it can be expected that this will have negative effects on their brand. Clear demonstration that they are handling this incident transparently and effectively will help them to not only recover but avoid such incidents in the future. It has just come to light that Home Depot knew that security was poor amongst the staff, the affects of these revelations remain to be seen.