Credit card breaches have been a dime a dozen in the U.S. in recent years. Incidents such as last winter's breaches of Target, Neiman Marcus and Michaels highlighted what can happen when targeted attacks meet the relatively loose security mechanisms of the magnetic stripe payment card. Among industrialized countries, the U.S. is nearly alone in its continued use of this outdated technology, while almost everyone else has moved on to the safer Europay MasterCard Visa standard, which utilizes an embedded microchip and PIN identifier for more secure authentication.
Fortunately, the transition to EMV in the U.S. is on the horizon. Many American retailers will make the switch before the October 2015 deadline due to a change in how the major credit card companies assign liability. After that time, merchants, rather than issuers and processors, with outdated point-of-sale terminals will be on the hook for fraud incidence. On the downside, the looming switch has put cybercriminals in something akin to "last chance mode" as they try to literally cash in during final days of legacy swipe-and-sign cards.
Brick-and-mortar retailer or Web storefront: Which is the more likely target?
While Web companies such as eBay have been under pressure from cyberattacks – including the one that prompted the retailer to ask 145 million users to reset their passwords last May – criminals have most aggressively targeted brick-and-mortar facilities. Even before Target et al were breached, physical stores were, perhaps counter intuitively, more valuable and exploitable than online retailers for several reasons:
- Compliance versus security: While many brick-and-border merchants adhere to the Payment Card Industry guidelines to protect their PoS boxes, PCI compliance is not a guarantor of comprehensive system security. Michael Kingston, CEO of Neiman Marcus, wrote a letter to U.S. Senator Dick Durbin in January 2014, explaining that the organization went above and beyond PCI requirements yet still was infiltrated. His company's case isn't unique – Target was also PCI-compliant at the time of its breach. Moreover, PCI may not go far enough in its anti-malware controls, since it doesn't have the same requirements for data in motion that are in place for data at rest. As such, it leaves channels open for surveillance and theft.
- Malware: PoS terminals are often built with embedded versions of Microsoft Windows. The authors of the 2014 Trend Micro research paper, "Point-of-Sale System Breaches: Threats to the Retail and Hospitality Industries," observed that this arrangement makes the creation of applicable malware trivial, given the enormous ecosystem of threats tailor-made for the popular PC operating system. Since PoS systems are also networked, relaying any stolen card information is easy once security has been bypassed.
- Supply chains and risks: Brick-and-mortar stores depend on numerous employees and contractors to support their daily operations. The scope of many of these companies means that there are myriad potential weaknesses, from the store floor to the supply chain. For example, Target may have been the victim of a compromised heating, ventilation and cooling system with remote access to the other parts of its infrastructure. There's also the risk of the so-called "insider threat," in which a worker could willfully or accidentally put assets into harm's way. A 2013 study from Loudhouse found that 58 percent of all security incidents were precipitated by current/ex-employees, customers and suppliers.
- Value: Card data lifted from PoS terminals is ultimately more valuable than any would-be equivalent from the Web. As security researcher Brian Krebs recently noted, using card data online is fraught with risks for thieves, who have to find merchants that ship to addresses not listed on pilfered cards. In contrast, numbers lifted directly from stores are much simpler– they can be turned into fake cards and used for immediate purchasing.
- The Internet of Everything: Retailers are becoming de facto software companies with transactions and operations heavily dependent on IP-enabled devices. Technologies may help them monitor shelf space and, in an extension of what Target was already doing with its HVAC contractor, carefully monitor and adjust in-store temperatures. The drawback of this Internet of Everything is that endpoint security hasn't caught up with hype and implementation. Patch rollout has to become better than it has been for mobile devices so far – more than 80 percent of Android phones and tablets are missing key security updates, even as the OS is poised to become a big part of the IoE via smartwatches, cars and home automation.
While consumers continue to drive enormous growth of e-commerce – a $220 billion industry as of June 2014, with much better growth prospects than brick-and-mortar – traditional stores are becoming a bigger front in the fight against identity and data theft. The value of retail information is so high that if cybercriminals sell just a small percentage of the stolen cards, they can still turn considerable profits, even in seemingly saturated markets in which hundreds of millions of numbers are floating around.
The move to EMV and what consumers and businesses can do in the interim
Mainstream EMV in the U.S. isn't far off, with the recent spate of breaches likely eliminating whatever tradeoffs retailers were mulling over in the impending transition from magnetic to EMV. It's regrettable that the switch wasn't made earlier (some merchants considered it a decade ago), but the upgrade is going to happen. Until then, though, what can consumers and brick-and-mortar businesses do?
Credit and transaction history checks are a must. Some breached retailers offer free monitoring services to customers whose data may have been compromised.
The switch to EMV will provide a much-needed boost in authentication integrity, but network security must also be tended to. Cybersecurity solutions make it easier to monitor for known vulnerabilities, issue patches and OS updates on schedule and limit both PoS and Internet access when appropriate. Security has become a continuous process, rather than a checklist-based exercise, and enterprises must shore-up their practices for the new threat environment.