7 reasons why we’re going to see more card data breaches at our favorite retail stores

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://venturebeat.com/2014/08/20/7-reasons-why-were-going-to-see-more-card-data-breaches-at-our-favorite-retail-stores/

Recent card data breaches at Supervalu and Albertsons retail chains are
just the latest in a long series of high-scale security incidents hitting
large retailers such as Target, Neiman-Marcus, Michael’s, Sally Beauty, and
P.F. Chang’s. These breaches are raising a lot of questions, one of the
most important of which is: Are we going to see more of these?

The short answer is yes; in the foreseeable future we will continue to see
more breaches. Here’s why:

1. PCI DSS (Payment Card Industry Data Security Standard) is failing to
protect merchants from security breaches. The original idea behind PCI DSS,
which was created 10 years ago, was that the more merchants we have that
are PCI compliant, the fewer breaches we’ll see. The statistics shows the
exact opposite trend: Most merchants who recently experienced card data
breaches are PCI DSS compliant. The problem is that, in the 10 years since
PCI DSS debuted, the standard hasn’t evolved to address the real threats,
while hackers, who have already learned all the point-of-sale
vulnerabilities, have been constantly working to enhance their malware.

2. Merchants and service providers are still not widely implementing P2PE
(Point-to-point Encryption) technology, which is the only realistic way to
address the payment card security problem. Despite the strong support for
P2PE from the payment security community, only four solution providers are
certified with the PCI P2PE standard, and at least two of them are located
in Europe. The problem with P2PE is that it is very complex and expensive
and requires very extensive software and hardware changes at all points of
transactions processing — from the POS (point-of-sale) in the store to the
back-end servers in the data center.

3. Retailers introduce new payment hardware, including tablets and
smartphones, that are neither designed nor tested for security issues they
face in the hazardous retail store environment. PCI DSS does not address
directly any mobile security issues.

4. Updates and new features to POS and payment software open up new risks.
Merchants want more features in their software in order to stay
competitive. POS software vendors provide those features atop of existing
functionality by supplying endless patches. The complexity builds up,
extending the areas of exposure, and security risks grow accordingly. Those
risks are not necessarily mitigated by continuously updated software.

5. Vulnerable operating systems make it easier for hackers to penetrate a
network and install malware. Most POS systems are running on Windows OS,
and some retailers are still using Windows XP, which Microsoft has not
supported since April 8, 2014. We don’t know how many “zero-day”
vulnerabilities are out there, but we know for sure that those
vulnerabilities, even if they are discovered and published, will never be
fixed.

6. The traces of many card data breaches often lead to Russia. While the
main motivation for all of these attacks is probably still financial, the
modern Russian anti-Americanism also encourages Russian hackers to attack
U.S.-based merchants more as an act of patriotism rather than a crime. This
is a new reality that is different from what we had just a few years ago.

7. Finally, EMV technology, which is supposed to “save” the payment card
industry, is not a silver bullet solution. Although this is a topic for
full separate article, let’s at least just briefly review the EMV problems
and see why it’s not going to bring a total relief.

- Even if the U.S. starts to transition to EMV immediately, it may take a
few years until the majority of credit cards are chip cards. During this
interim period and even beyond that, merchants will continue accepting the
regular magnetic stripe cards, so they will be still vulnerable to existing
attack vectors.
- EMV does not protect online transactions: You still need to manually key
in the account number when shopping online. Online transactions will be
still vulnerable even after full EMV adoption, and for many retailers
ecommerce is a constantly growing sector.
- Although EMV is more secure than magnetic stripe technology, there are a
lot of vulnerabilities in EMV, and many of them are still undiscovered, or
their exploits are not yet well developed. Today, when there are so many
U.S. merchants accepting magnetic stripe cards, hackers aren’t bothering to
research EMV security issues. But once the EMV transition is done in the
U.S., the global focus of attacks will shift away from magnetic stripe
cards to EMV and ecommerce.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!