By Michael Ryan
I’ve been reading the latest news about Michaels Stores, the arts and crafts retailer, point-of-sale (POS) breach where hackers appear to have replaced PEDs with their own terminals designed to skim card information and capture PINs. Unfortunately, this is not an unfamiliar story. Remember the Aldi breach from a few months ago? Both of these are examples of multi-state coordinated attacks on POS systems.
Hackers are becoming smarter and are identifying and exploiting new weaknesses among merchants. Furthermore this is just one more example demonstrating that PCI compliance alone, is not enough. Neither the PCI DSS nor PIN Transaction Security (PTS) regulations require the payment terminal identification or other solutions that would have helped detect this attack. I have to assume a company with Michael’s reputation was PCI compliant so this may be another unfortunate example of compliance falling short of good security practice.
We don’t know all of the details of these particular breaches, but from what we do know, if point-to-point encryption (P2PE) was implemented, transactions would have failed to decrypt and error codes would have been returned to the POS, alerting the merchant to the problem at transaction 3 or 4 instead of month 3 or 4.
The fact is that hackers will continue to prey on the weakest link to achieve the greatest results. By attacking POS systems and PIN pads, they can gain access to a gold mine of payment data if a higher level of security isn’t implemented.
The moral to this story? PCI compliance is needed…but it is just a start. Increased security is a must.
By Michael Ryan
Most of you in the retail industry are probably still frightened by the idea that your company’s name may be the next to be splashed up in the headlines. Being the next TJX or Hannaford is motivation enough to double check the security of your networks and vow never to be complacent in your security efforts.
In the past, security breaches have been straight forward: hackers have identified vulnerabilities and then exploited them to gain access to the network and databases to obtain customers’ confidential information like credit card numbers, social security numbers and other personal data. Today, the attacks on the retail sector are increasingly sophisticated. Just take a look at last month’s announcement concerning a breach at Aldi, a discount grocer which operates 1,100 stores in 31 states.
As reported by Computerworld, hackers tampered with payment terminals at stores in 11 states in the summer months, gaining access to credit and debit card data, such as name, account data and personal identification numbers (PINs). According to reports, the theft of the PIN data suggests that hackers accessed PIN numbers as they were entered.
This was an incredibly sophisticated and coordinated attack designed to steal data in-flight as opposed to the traditional data at-rest. Moreover, it showed a brashness seldom seen. The crooks didn’t hide behind their computers many miles away. At some point they physically tampered with the terminals inside the stores in order to execute the attack.
The bottom line is that between damage to brand and monetary fines, the stakes of fraudulent activity are getting higher and higher for retailers. At the same time, criminals are becoming more creative and brazen in their efforts to steal data, requiring retailers to continue to advance their payment security infrastructure. Unfortunately, there is not just one security solution that is going to protect your systems against credit card data breaches. Ensuring that you implement an in-depth approach that addresses anti-virus, monitoring, tokenization and point-to-point encryption is critical if you want to keep up with the sophistication of today’s criminal organization.
