NATIONAL REPORT — Target Corp., Home Depot Inc., P.F. Chang's China Bistro Inc., eBay Inc., Michaels Stores, SUPERVALU Inc., JPMorgan Chase and Co., and in the convenience channel, MAPCO Express Inc. All these companies have something in common — and it's not a good thing. Each one has suffered from a cyberattack in some form in the past two years.
There were 395 reported breaches in the United States in 2014 as of July 8, a 21-percent increase compared to the same period in 2013, according to the Indentify Theft Resource Center.
Clearly, data breaches are on the rise, culminating in August when a Russian group hacked 1.2 billion usernames and passwords belonging to more than 500 million email addresses. According to Hold Security, a company that specializes in data breaches, this hack attack represented the "largest breach known to date."
Breaches are on the rise because in the past, hackers needed to be quite sophisticated to successfully steal data. Today, the barriers to entry are much lower than ever before.
"Not only are there automated hacking tools," said Dwayne Melancon, chief technology officer at Portland, Ore.-based Tripwire Inc., provider of products intended to prevent cyberthreats. "But also it's because retailers have tight budgets and a false sense of security due to PCI (payment card industry) standards. But PCI requires continued vigilance and I'm not sure all retailers continuously monitor their environments for attacks."
Financial gain and the theft of intellectual property are why 85 percent of cyberattacks take place, Verizon's 2014 Data Breach Investigations Report showed. Conversely, hacking incidents done for fun or based on an ideology are near zero, the report concluded.
If a retailer such as Target, one of the largest retailers in the world, could not prevent a data breach, how can smaller convenience store chains do so?
While there is no definitive way to prevent a data breach, experts say there are several ways to ward off cybercriminals, even for c-store retailers that have limited budgets.
At the point-of-sale (POS), hackers often already know of an explicit vulnerability a retailer has and they continue to attack it repeatedly. Retailers that do not have large technology budgets and have yet to implement EMV (Europay, MasterCard and Visa) guidelines still do have hope of thwarting an attack, however, stated Seth Ruden, senior fraud consultant at ACI Worldwide Inc..
"It's important to default passwords, especially for remote access," he said. "If a retailer uses an application that allows them to check POS records from home or allows them to access their computer network from a remote location, it can lead to potential problems."
And it's not only the POS that can be attacked. Retailers must recognize that any network associated with the POS computer can be at risk. "So whenever possible, it's very important to separate the POS network from any other network [retailers] use that is connected to the Internet," Ruden said. "If it's possible to remove the POS computer from the external Internet,that would be very helpful."
Tripwire's Melancon believes the first thing retailers should do is be suspicious and start thinking like the cybercriminal would. He recommends taking a picture of both the pump and the POS and periodically comparing the reality to the photos.
"That forms a baseline," he said. "Has anything changed since? Does anything look like it was tampered with? That's a good place to start, and it isn't very expensive [to do]."
Poor access controls is another major problem, added Melancon. "Pay attention to who you allow to access your system and what privileges they have," he said. "Make sure anyone who has the ability to make changes to the POS or card environment is noticed any time they make a change. That means you need to basically fingerprint your system to know how it changes over time and then be able to investigate to determine if you trust that change or not."
If all else fails, an inexpensive way to reduce fraud is to reduce your points of entry, said Tim Erlin, director of security and IT risk strategist for Tripwire. Simply stated, this means reducing the number of POS terminals in-store or the number of pumps, but he acknowledged this may hurt profits, so retailers must carefully weigh this decision.
For more on how to prevent data breaches and tips on what to do if you're hacked, look in the October issue of Convenience Store News.