When the Target breach was first announced, I told anyone who would listen a) that this was unusual only in its scope, not that a store suffered a breach and b) expect this story to be the tip of the iceberg. People who understood security agreed (one of my friends even told me that he stopped using a debit card because of my warnings), but too many of my business-owning acquaintances brushed it off, saying that Target was huge and that’s why it was breached.
Well, you have to be living under a rock to not notice that retail breaches are happening with alarming frequency, they are happening to retail businesses both large and small, and they are happening for different reasons. For example, the recently announced Goodwill breach is thought to be caused by a third-party vendor. Other retail breaches were due to a Trojan called Backoff, which has been around for about a year. Explained by SmallBusinessComputing.com:
Backoff, and its variants, sits stealthily on Microsoft point-of-sale (POS) systems, acting essentially as both a credit card skimmer and key logger, then periodically transmits its haul to data thieves.
In that article, Andrew Bagrin, founder and CEO of My Digital Shield, pointed out that for every retail breach we hear about, hundreds more are falling through the cracks.
While I’m not surprised by the influx of retail breaches, I have been wondering why retail seems to be the most prevalent target in 2014. Is it media hype or is the industry purposely under attack? Russ Spitler, VP of Product Management at AlienVault, answered that question for me. Yes, he said, the retail industry is being targeted more than ever for a couple of reasons. First, the industry still doesn’t take security as seriously as it should and the hackers are exploiting it, while at the same time, other industries, like banks, have taken steps to improve security. Second, point of sale systems originally designed and built years ago are easy places to grab a foothold. Spitler went on to tell me in an email:
Hackers are focusing on retailers because 'that is where the money is' - it is the easiest target with the greatest reward. These criminals are doing the cost analysis of the investment they need to make to breach a target and what they are going to get in return. We have just seen reports of incredibly sophisticated attacks against major Wall Street banks - customized malware and long campaigns - if that is what it takes to break into a bank, no wonder the bigger breaches are focusing on the less sophisticated targets with just as large an economic potential.
Those who regulate the retail industry are taking steps to put more emphasis on security. The PCI Security Standards Council has introduced a new initiative called Passwords for Payments. The initiative is geared toward small businesses and is to provide education on the importance of improved password security. And by next October, businesses that use credit card technology will be required to replace their old magstripe credit/debit card technology with chip and PIN, long the standard in the majority of countries outside the United States. And a lot of people are touting that Apple Pay will put an end to point-of-sale breaches, but I’m not buying into that until Apple does a much better job about its overall security.
These are steps in the right direction. But we’ll continue to have the weekly (or now almost daily) announcement of a new retail breach until the industry as a whole takes security a lot more seriously.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba