In a recent post on ComputerWorld.com, Jeremy Kirk of IDG News Service says that hackers may have the upper hand for years as the retail industry slowly upgrades its systems.
As the only full-service point of sale provider — from software development to franchise incubator to ongoing support — part of Sintel’s commitment to our customers and business community is to share relevant ideas, information and industry news.
Here are the highlights of Kirk’s ComputerWorld.com post, “Why Hackers May Be Stealing Your Credit Card Information For Years”:
• As one example, Kirk describes how a simple configuration error allowed a penetration tester to gain remote access into a merchant’s computer network. At that point, the retailer was vulnerable to malicious software that can harvest card data stored in memory.
• One sign the problem is worsening: The U.S. Department of Homeland Security and Secret Service warned last month that upward of 1,000 businesses may be infected by malware on their electronic point of sale (POS) devices.
• Using a process known as “RAM scraping,” malware such as Backoff, BlackPOS and JackPOS hunts down clear-text payment card details which are held momentarily in a computer’s memory.
• Tech experts say that PCI-DSS version 3.0, the latest security specification, does not mandate point-to-point encryption, which would eliminate the in-memory malware issue.
• The PCI-DSS developers at the PCI Security Standards Council recently recommended that merchants switch to using that kind of encryption technology. Historically, however, retailers can have technology refresh cycles as long as five to seven years. As a result, Avivah Litah, a Gartner analyst who consults with banks and card companies, tells Kirk, “Fraud is expected to migrate from big retailers that resolve the weaknesses to smaller ones who have not.”
• Kirk writes that retailers are also missing key signs in their network logs that they’re under attack. “Subsequently, most breaches are discovered by third parties, such as when fraud shows up on cards,” said Bryan Sartin, managing director for Verizon’s Risk Team, quoted in the post. “Many merchants are using “1990s technology to react to modern-era cyberattacks.”
• Nick Economidis, an underwriter with the Beazley Group, has seen its data breach insurance business boom, in part, because merchants can be fined by card companies for breaches and are on the hook to pay for forensic investigations – which for PCI-related breaches can cost as much as $100,000.
• Merchants have on occasion struck back by suing suppliers and integrators of point of sale systems and arguing that the suppliers are liable for breaches due to setup and maintenance errors. “Interestingly, very few of the lawsuits are ever litigated, as POS suppliers often choose to settle,” says Charles Hoff, an Atlanta-based lawyer who has been involved in many such actions.
• The PCI-DSS 3.0, which comes into force on January 1, 2015, is complex, with 12 main requirements and more than 250 sub-requirements.
• “The PCI Council advises that retailers can’t just pass an annual audit and forget about it,” writes Kirk. “A main concern is that networks are modified over time, which could inadvertently create weak points for hackers to capitalize on.”
Read the full ComputerWorld.com post here.
For more insights into point of sale security, check out our related posts, Criminals Hit Their Target, 40 Million Cards Affected, Target Hack Claims Its Final Victim, EMV Technology Chips Away at Credit Card Fraud, Target Acquisition, and “Backoff” Tracking Memory, Taking Credit.
Just as Sintel shares our vast point of sale experience and expertise with startup owners in order to help them make the best decisions from the very beginning, we are happy to share articles, advice and commentary about retail point of sale and security.
Whether you’re a first-time franchise hopeful, a small business owner or an established chain, it’s always smart to stay on top of the latest point of sale best security practices to achieve financial success.
If you are interested in learning more about Sintel’s point of sale systems and how our knowledge and support can impact your future success, call us for a complimentary phone consultation.
Sintel Systems is the only direct to end user full-service provider of tailored Point of Sale systems across retail, restaurant and service industries, including frozen yogurt shops, pizzerias, sushi restaurants, cafés and retail stores.
As a single source for business solutions, our experienced, knowledgeable team negotiates the complex POS landscape for you to enable you to find the right POS system for your business and budget. Hardware – Software – Support