Data breaches and security threats are a growing concern for retailers. For the past two years, the retail industry has ranked second in the percentage of incidents, just behind the accommodation and food services industry. In all of these industries, the main driver for breaches is the point of sale system used to conduct daily business activities.
The annual Data Breach Investigations Report by the Verizon RISK Team analyzed forensic evidence to see how sensitive data is stolen. Its findings revealed that attackers are usually opportunistic and seek easy prey in small and mid-sized retailers. While criminals exploit both physical and virtual vulnerabilities, experts say a few simple measures can go a long way in improving security.
Retailers at great risk
A LexisNexis True Cost of Fraud Study conducted by Javelin Strategy and Research found that fraud, including data breaches, cost retailers more than $100 billion in 2011 – a year that saw some of the largest recorded data breaches in history, with information leaks compromising more than 180 million records. The “Epsilon” data breach in April 2011 leaked more than 77 million customer names and affected companies like Best Buy, Brookstone, Kroger, Capital One and JPMorgan Chase.
While large-scale attacks like those are less common, every day smaller retailers all around the country fall victim to data breaches. The Verizon report aims to learn who is stealing that data, how they are doing it, how the victims are responding and what could have been done to prevent it. The Retail Industry Snapshot provides data and evidence from 330 confirmed breaches in the retail industry over the past two years.
Jay Jacobs, managing principal with Verizon Enterprise Solutions’ RISK Team, says the retail industry is “plagued” with POS-focused security breaches by organized criminal groups that exploit guessable, weak or default credentials to gain access to these systems. The LexisNexis report pegged 2011 losses at $100 billion, but it’s difficult to pinpoint how many attacks contributed to that total.
“It’s hard to get accurate data on just how many breaches are occurring,” Jacobs says, but “The number of cases [Verizon’s RISK team has access to] each year is increasing.”
Seeking easy prey
Most losses and data breaches are the result of thousands of small-scale attacks that happen everyday. They range from malicious card swipe devices at gas stations and self-checkout terminals to random hacks. Sometimes all it takes is an employee accidentally clicking on a malicious e-mail attachment to open the door for a data breach.
Types and numbers of data breaches vary dramatically when broken down by organization size and POS system type. Of all the retail breaches cited in the report, 80 percent were reported at organizations with 11 to 100 employees. Jacobs says these smaller retailers are “soft” targets that are rarely sought out by attackers but easily become victims of opportunity.
Ninety-six percent of breaches in the retail industry were also from external sources, usually in the form of hackers who scour information on the web, or physical attackers who use data skimming devices on the POS system. The report found that many of the attacks are relatively simple: Criminals look for vulnerabilities in an organization, find a hole, move in and steal the data. Not much effort is put into the breach, and criminals look for easy opportunities and the path of least resistance.
“Most attackers are opportunistic and they end up getting smaller stores because they just don’t have” high levels of physical and/or IT security, says Jacobs.
Smaller organizations often use third-party POS systems and typically don’t have the budget for on-site IT support, he says. The biggest problem is that many in those organizations actually use default or easy-to-guess passwords that let hackers walk right into the system. Of the “threat actions” that identify how a breach occurred, exploitation of default or guessable credentials accounted for 31 percent of the cases — the second-most common reason for a breach behind physical tampering (48 percent).
“They just set a default password, have a computer facing the Internet and they’re just vulnerable to attackers that find it,” says Jacobs.
When broken down by categories, breaches were almost evenly split between hacking and physical attacks. Malware accounted for nearly a quarter of the breaches resulting from hacking, while most of the physical attacks documented in the data were due to the installation of gas pump skimming devices. These skimmers are placed inside the pumps between the card reader and the rest of the POS hardware. When the credit cards are swiped at the pumps, the magnetic stripe data is skimmed and then stored in the device, which is later retrieved by the criminals. It is not as common in retail establishments – and Jacobs says that when it does happen, it’s usually with the help of an employee.
“It is often used in collusion with some inside personnel,” he says. “They might have a little hand scanner that they keep in their pocket and as they take the customer’s credit card, they swipe it with their hand.”
The report makes a number of recommendations for minimizing the risk of data breach, and many of them are relatively easy to implement. Because threats vary by organization size and type, so too do the recommendations. But Jacobs says simply creating a better password can go a long way towards increasing security.
“Making sure you don’t have a default password on there can make a tremendous difference,” he says. “So many [POS systems] have easily guessable credentials.”
For in-store POS systems that may be vulnerable to tampering, Jacobs says organizations need to pay close attention to where devices are located and how they could be physically accessed by thieves. Pay-at-the-pump terminals represented 46 percent of compromised assets listed in the report, while servers and user devices represented 36 and 22 percent, respectively. Although database servers and desktop computers in a backroom seem like they could be vulnerable, they only represented 12 percent of the breached assets in cases reported in the study.
It’s unlikely that a card swiper could be tied into a manned POS system in a busy retail establishment, but Jacobs says it does happen at self-checkouts. Employees should be taught what such devices look like and monitor these stations for tampering at periodic intervals.
As more retailers move to mobile POS systems, security will be an even greater concern. Use of iPads, tablet devices and self checkout is growing, but with it comes more vulnerabilities. Criminals are always trying to create new ways to access data; this includes malware that can open a backdoor, inject a keylogger virus, disable or interfere with security controls or capture data on systems.
“The chance of theft is probably going to increase” along with the proliferation of mobile POS, Jacobs says. “The question is whether they’re just after the device or want the data. In either case, there will be more risk.”
Jacobs says that response time is a good indicator of the maturity of an organization’s security program. The sooner an organization discovers a breach, the sooner it can attempt to limit exposure. In over two-thirds of cases, it takes merely minutes — even seconds — to compromise information following an attack, but nearly a third of cases (29 percent) aren’t discovered until weeks after initial compromise; 54 percent of cases aren’t discovered within months. And from the time of discovery, 38 percent of breaches took weeks to restore.
“The damage is done within seconds or minutes so even if we decreased the discovery time, it’s hard to say there would be less impact,” Jacobs says. “Our recommendation is to try to prevent the attack in the first place.”