Why are brick-and-mortar retailers crumbling under hacker attacks?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.digitaltrends.com/opinion/target-neiman-marcus-offline-shopping-online-risk-dangers/

Over the weekend, high-end retailer Neiman Marcus admitted that hackers
infiltrated its system and stole untold lists of credit and debit card
numbers, along with other personal information belong to its customers.

The breach comes just days after Target said that hackers stole the payment
data, addresses, phone numbers, and names of some 70 million customers – a
number that may or may not include the roughly 40 million shoppers whose
private data landed in hackers’ hands following the post-Thanksgiving
spending spree.

“The recent Target attack was about stealing data.”

The bleeding does not stop there, however; according to Reuters, hackers
have successfully breached the systems of “at least three other well-known
US retailers.” We don’t yet know the identities of these outlets, but will
undoubtedly find out soon.

Cyberattacks are nothing new, of course. What makes the Target and Nieman
breaches so frightening for shoppers – at least, for this shopper – is that
both attacks only affected customers who made purchases offline.

So why have have hackers suddenly turned toward brick-and-mortar retailers?
How are they pulling it off? And is it possible that shopping offline is
now less safe, or at least as risky, as shopping online?

Low-hanging fruit

Since Amazon.com launched in 1995, consumers have worried about hackers
snagging their credit-card data from the Web – and rightly so. Retailers
lost roughly $3.5 billion in e-commerce sales during 2012 due to credit
card fraud, according payment processor CyberSource.

“If we measured fraud loss, payment fraud is three times higher online than
it is offline,” says Loc Nguyen, vice president of marketing for fraud
prevention firm Feedzai, which uses advanced machine-learning techniques to
predict payment fraud. “Online has been traditionally thought of as less
safe, but online shopping only accounts for 6 percent of spending, which
equals $343 billion out of the $4 trillion in retail purchases.”

So while online shopping may be considered less safe, offline retailers
represent a far juicier target for cyber-thieves. “Just as bank robbers rob
banks (because that’s where the money is at), professional fraud
organizations go after offline environments because that’s where the card
data are,” Nguyen says.

Historically, offline retailers have enjoyed greater protection from
cyberattacks simply because their business transactions were less connected
to the online world. But this is changing. Increasingly, the systems you
use to buy online and offline are inexorably intertwined. And that’s a
problem.

Rise of the RAM scrapers

In recent years, hackers have begun using a type of malware known as a RAM
scraper, which specifically targets brick-and-mortar retailers’
point-of-sale devices – digital cash registers, in other words. Reuters
reports that the Target and Neiman Marcus hackers likely used sophisticated
RAM scrapers to steal customers’ credit- and debit-card numbers.

RAM scrapers have been around for years, and target a payment security
standard known as PCI-DSS, which is predominantly used in the US. While
PCI-DSS requires that payment data is encrypted end-to-end, there is a
brief moment – milliseconds – after you swipe when your card that the
number and other data is in plain-text form, meaning anyone could read it
during that instant. That’s all hackers need to steal the payment data and
copy it to their list.

“Payment fraud is three times higher online than it is offline.”

Using RAM scrapers makes perfect economic sense for hackers; not only can
they pilfer far more credit card numbers at a time, but the wealth of data
they obtain through a RAM scraper attack is more useful and valuable than
what they can potentially take from online transactions.

“Going after point-of-sale gives the attackers an opportunity to collect
credit card data in bulk,” says Roel Schouwenberg, Principal Security
Researcher at cybersecurity firm Kaspersky Lab. “The attackers will also be
hoping to have a higher success rate using cloned, physical cards rather
than using cards online.”

Attacking point-of-sale also makes it possible to sell those card numbers
to other criminals in a greater variety of forms, Schouwenberg says. “When
trying to resell the stolen credit card data online, the attackers may also
be able to sell into different underground markets, as the people dealing
with cloned cards are not necessarily the same people dealing with online
fraud,” he says.

Bad connection

Twice last year, in April and August, Visa issued security alerts about the
rise of RAM scrapers, warning retailers both times to separate their
payment systems from other systems to help mitigate the risks of malware
infections, and curb the amount of data that attackers could steal. But
this isn’t happening – if anything, retailers’ systems are becoming more
and more interconnected.

“Brick-and-mortar and online retailers are storing lots of information on
consumers to make shopping easier and more personal; therefore, a swipe of
a credit card at a store versus an online merchant is the same,” says Eric
Chiu, president and co-founder of cloud security firm HyTrust. “Also,
because of the density of data in today’s networks, thieves don’t just get
some data – they get it all.”

“The recent Target attack was about stealing data,” says Nguyen. “Data has
and will continue to be the digital payment industry’s most valuable
asset.” And because our offline and online shopping is becoming further
entwined, we can only assume that cybercriminals will increasingly target
both online and brick-and-mortar payment systems.

Nguyen adds, “As our lives gradually migrate onto the Internet, and
consumers continue to embrace omnichannel commerce, so too will the
criminals employing increasingly sophisticated attacks that cross channels
so the notion of a relatively safer channel is fleeting.”

The big fix

The good news in all this is that credit card fraud has fallen over the
past 20 years, “from 6.1 cents to 5.2 cents for every $100 spent,” says
Nguyen, “so we can say that, overall, our money [is] safer than it has ever
been.” Unfortunately, that’s talking percentages. During the same period,
credit card use has increased – and so has the total number of dollars
lost, from less than $2 billion annually to more than $11 billion, by
Feedzai’s count.

“As the world moves away from cash, there’s just more electronic payment
volume to be protected,” says Nguyen.

Still, $11 billion is a lot of money. And protecting that money in an
increasingly connected payment infrastructure likely requires retailers and
payment processors to swap out the PCI-DSS standard for a whole new set of
tools known as EMV.

Also called “Chip-and-PIN,” the EMV standard – named after its primary
developers, Europay, MasterCard, Visa – uses cards with embedded
microprocessors that require customers to enter a PIN to authenticate a
transaction, rather than simply scribbling their signature on a piece of
paper or digital payment pad.

“Because of the density of data in today’s networks, thieves don’t just get
some data – they get it all.”

In the same warnings from last year, Visa urged companies to switch away
from PCI-DSS to EMV, which has become the standard in the rest of the
world. In fact, the US is the last major PCI-DSS holdout, meaning American
customers are, according to experts, less safe than their counterparts in
Europe and elsewhere on the planet. Why the mass migration to EMV? Because
it’s much more secure – nearly four times as secure, according to PNC,
which saw fraud loss on just 0.035 percent of EMV transactions in 2008,
compared to 0.13 percent on signature-confirmed transactions during the
same period.

“In Europe, we’ve witnessed a serious ramping-up of offline attacks over
the course of the last few years. It took migrating to an EMV-only
infrastructure to significantly curb the amount of incidents,” says
Schouwenberg. “It’s plausible we’re going to see a similar pattern over
here. With EMV adoption being few and far between in the US, it would
likely take us longer to curb the amount of incidents.”

Additionally, security experts say retailers need to begin thinking about
their entire payment network as though it could be breached at anytime – or
possibly already has been breached.

“Given that attackers are getting more sophisticated, all merchants need to
re-think their security model and focus on an ‘inside-out’ model of
security, which assumes the bad guys are already on the network,” says Chiu.

Last two cents

As cybercriminals wage ever-sophisticated attacks, and US retailers
scramble to institute new safeguards on their networks while migrating to
an entirely new security standard, we customers must remain vigilant about
protecting ourselves from the bad guys by watching our transaction
histories like a hawk. The transition to the EMV standard not going to be
easy, it will take a long time to get there, and still won’t be fool-proof.
So if you’re looking for a quick fix, I can offer but one reliable
suggestion: Use cash (and keep an eye out for pickpockets).

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.