Retailer data breach trend not likely to end soon

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.pcworld.com/article/2090839/retailer-data-breach-trend-not-likely-to-end-soon.html

Three major retail chains have recently admitted being victims of massive
data breaches that compromised sensitive data from over 100 million
customers. Sadly, though, Target, Nieman-Marcus, and Michael's are just the
beginning of a trend that isn't likely to fade away any time soon.

Verizon's annual Data Breach Investigations Report (DBIR) from May of 2013
found that 24 percent of the confirmed data breaches in 2012 affected the
retail and restaurant sector--second only to the financial sector. In all,
there were 156 confirmed data breaches in the retail and food services
industries.

In all three of the recent high-profile cases, attackers were apparently
able to plant malware on point-of-sale (PoS) systems to gather credit card
information from unsuspecting shoppers. The Target breach affected as many
as 110 million customers, Nieman Marcus 1.1 million, and the scope of the
Michael's breach is still a work in progress. There's a very good chance
other retailers have been compromised as well and just haven't discovered
it yet.

"Attackers no longer spam at will," says Steve Durbin, global vice
president of Information Security Forum. "They are increasingly
targeting--learning the habits and preferences of their potential targets to
better tailor malware to the intended audience. There's little chance that
this threat will diminish, and more targeted attacks will make it difficult
to track, analyze and protect against them."

There are a few factors that combine to fuel this trend. First, credit card
data and related customer information are a goldmine for attackers. The
information can be used to clone credit cards, and the associated personal
details may be useful for additional credit fraud and identity theft.

Shoppers rarely use cash and checks these days. Most customers use a credit
or debit card to conduct transactions, which makes retail chains a prime
target for cybercrooks. Add in the low-paying jobs and high turnover at
most retail chains, and you have a higher-than-average risk that an
employee may be culpable in the attack and help plant the malware exploit
to make some fast money.

What's the solution? More comprehensive encryption at the point of sale
would be helpful, as would ensuring that all customer and credit card
information is encrypted end-to-end from the transaction, while it is being
transferred, and when stored on a server. None of those are a fool-proof
guarantee against a data breach, though.

A better solution would be to change things from the customer side.
Implementing credit and debit cards that contain smartchips would prevent
cybercrooks from being able to clone the credit cards using just the
magnetic stripe data. Even that wouldn't cut down on credit fraud for
things like online purchases that don't rely on a physical card to swipe.
In that case, the banks and credit card issuers should consider two-factor
authentication. Require users to enter a PIN in addition to the credit card
data.

Granted, an attacker capable of intercepting credit card transaction data
may also be able to capture the PIN, which would negate its value in
preventing credit card fraud. However, a combined effort between retailers,
banks, and customers could significantly reduce the opportunity for data
breaches such as these.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!