Under Attack
Target Corp., Home Depot Inc., P.F. Chang?s China Bistro Inc., eBay Inc., Michaels Stores, SUPERVALU Inc., JPMorgan Chase and Co., and in the convenience channel, MAPCO Express Inc. All these companies have something in common ? and it?s not a good thing. Each one has suffered from a cyberattack in some form in the past two years.
There were 395 reported breaches in the United States in 2014 as of July 8, a 21-percent increase compared to the same period in 2013, according to the Indentify Theft Resource Center.
Clearly, data breaches are on the rise, culminating in August when a Russian group hacked 1.2 billion usernames and passwords belonging to more than 500 million email addresses. According to Hold Security, a company that specializes in data breaches, this hack attack represents the ?largest breach known to date.?
Breaches are on the rise because in the past, hackers needed to be quite sophisticated to successfully steal data. Today, the barriers to entry are much lower than ever before.
?Not only are there automated hacking tools,? said Dwayne Melancon, chief technology officer at Portland, Ore.-based Tripwire Inc., provider of products intended to prevent cyberthreats. ?But also it?s because retailers have tight budgets and a false sense of security due to PCI (payment card industry) standards. But PCI requires continued vigilance and I?m not sure all retailers continuously monitor their environments for attacks.?
Financial gain and the theft of intellectual property are why 85 percent of cyberattacks take place, Verizon?s 2014 Data Breach Investigations Report showed. Conversely, hacking incidents done for fun or based on an ideology are near zero, the report concluded.
Retailers concerned about cyberattacks coming from internal employees can take solace in the fact that only 10 percent of attacks stem from this source, although this figure did rise slightly in 2013 compared to the prior year, Verizon reported. Cashiers and end-users account for a majority of the internal attacks.
Breaches are the act of stealing data. Once this stolen data is used for gain of some form, it constitutes fraud. Once either or both take place, retailers can have a massive mess to clean up, including negative public perception and consumer lawsuits. The financial bill is large, too, with Target acknowledging it spent $148 million in its fiscal second quarter alone trying to get back on track following its cybersecurity incident.
Adding to the pain beyond the financial frustration is the mental frustration. Following a breach, holding the offending party/parties responsible for the attack is a nearly impossible process in many cases. Even if the offending party can be identified, they likely live in a country with no extradition agreement with the United States.
?The likelihood we can get local law enforcement to make an arrest is unlikely,? acknowledged Seth Ruden, senior fraud consultant at ACI Worldwide Inc.
PREVENTING A BREACH
If a retailer such as Target, one of the largest retailers in the world, could not prevent a data breach, how can smaller convenience store chains do so?
While there is no definitive way to prevent a data breach, experts say there are several ways to ward off cybercriminals, even for c-store retailers that have limited budgets.
At the point-of-sale (POS), hackers often already know of an explicit vulnerability a retailer has and they continue to attack it repeatedly. Retailers that do not have large technology budgets and have yet to implement EMV (Europay, MasterCard and Visa) guidelines still do have hope of thwarting an attack however, stated Ruden.
?It?s important to default passwords, especially for remote access,? he said. ?If a retailer uses an application that allows them to check POS records from home or allows them to access their computer network from a remote location, it can lead to potential problems.?
And not only the POS can be attacked. Retailers must recognize that any network associated with the POS computer can be at risk. ?So whenever possible, it?s very important to separate the POS network from any other network [retailers] use that is connected to the Internet,? he said. ?If it?s possible to remove the POS computer from the external Internet, that would be very helpful.?
Tripwire?s Melancon believes the first thing retailers should do is be suspicious and start thinking like the cybercriminal would. He recommends taking a picture of both the pump and the POS and periodically comparing the reality to the photos.
?That forms a baseline,? he said. ?Has anything changed since? Does anything look like it was tampered with? That?s a good place to start, and it isn?t very expensive [to do].?
Poor access controls is another major problem, added Melancon. ?Pay attention to who you allow to access your system and what privileges they have,? he said. ?Make sure anyone who has the ability to make changes to the POS or card environment is noticed any time they make a change. That means you need to basically fingerprint your system to know how it changes over time and then be able to investigate to determine if you trust that change or not.?
If all else fails, an inexpensive way to reduce fraud is to reduce your points of entry, said Tim Erlin, director of security and IT risk strategist for Tripwire. Simply stated, this means reducing the number of POS terminals in-store or the number of pumps, but he acknowledged this may hurt profits, so retailers must carefully weigh this decision.
A RETAILER?S APPROACH
Looking at the problem from a retailer?s view, Phil Schwartz, manager of I/S, credit cards systems and POS applications support at Valero Energy Corp., has been behind many efforts to thwart data breaches and subsequent fraud during his 19 years at the San Antonio-based company.
Retailers attempting to prevent breaches need to make sure they have security practices in place?based upon PCI framework ? that will secure data every day. C-store operators should go through some basic steps, Schwartz advised.
?First, you need to identify your sensitive data,? he said. ?We put a lot of focus on credit data, but you may have loyalty data and employee data you have gathered. Anything you don?t want someone in eastern Europe to look at, you need to identify.?
The second step is to figure out where data sits and how it travels from one place to another, giving a c-store retailer a good idea of where they are vulnerable. To obtain help ascertaining this information, c-store operators can go to Conexxus.org, which is developing a Security Instant Reporting database. Conexxus, formerly known as the Petroleum Convenience Alliance for Technology Standards (PCATS), lists convenience and petroleum websites that have been threatened in the industry.
Lastly, retailers need to implement countermeasures that prevent a threat from becoming a breach. Schwartz admits this is not an easy task. Once a retailer has implemented countermeasures, they need to do it again and again, he explained.
?One simple thing you can do is, if you don?t need a particular [piece of data], get rid of it,? he said. ?For the most part, a lot of data just isn?t needed. Under PCI standards, it says to get rid of particular pieces of cardholder data as soon as it?s no longer serving a purpose. That?s a really good idea.?
EMV TO THE RESCUE?
One solution to fraud is EMV implementation. The EMV liability shift will begin one year from now. On Oct. 1, 2015, credit card manufacturers will start shifting responsibility from themselves to the retailers regarding fraud occurring at non-EMV-ready POS terminals. Fuel pump liability shifts will happen exactly two years later.
Experts agree that EMV ? also referred to as chip-and-PIN or chip-and-signature ? is not an end-all solution to cyberfraud, nor is it intended to be. After all, most developed countries other than the U.S. already have EMV guidelines in place, and breaches and fraud still take place.
According to Tripwire?s Erlin, once current magnetic stripe cards begin to wane in the U.S., attackers will shift their focus in a ?perpetual arms race to stay ahead of the other party.?
But experts do agree that EMV implementation is definitely a step in the right direction in an effort to combat hack attacks, as EMV cards provide much more fraud protection vs. omnipresent magnetic stripe cards. As Valero?s Schwartz pointed out, it is nearly impossible to counterfeit an EMV-enabled card based upon the chip these cards feature. Worries about lost and stolen cards can be counteracted by the PIN numbers that EMV cards also feature.
?So if you have chip-and-PIN, you are protected from both counterfeit and lost and stolen card fraud,? said Schwartz. ?But it?s not designed to protect the data. It wouldn?t have done anything for Target to prevent the breach. But it would have made it more difficult to monetize once [hackers] had [the data]. If you can?t make money off the data, why bother stealing it??
EMV will have the largest impact at the time of purchase, according to one Midwest convenience store retailer. ?It does not help with data in flight from the stores to the banks, nor at rest,? he said. ?The chip stays in communication with the processing solution so the chip can be verified and changed if needed. The design and functionality of the chip is significantly more secure than the traditional magnetic stripe we use today.?
Before c-store retailers switch to EMV-capable devices, they need to accept that it comes with one drawback: a high cost. According to some experts, implementation may carry a five-figure price tag ? depending on the size of the retailer ? a cost that is perhaps too hard to swallow for smaller c-store operators.
Paul McMeekin, manager of business intelligence and market research at ACI Worldwide, agrees the cost is high to upgrade the POS, so c-store retailers must weigh the pros and cons.
?If you own 10 or 15 stores, it?s a tough decision to make financially, especially if you just upgraded your POS a couple of years ago,? McMeekin said. ?But you don?t want to be left behind as the guy who is ?holding? the fraud. In the mind of the cybercriminal, retailers that don?t upgrade to EMV-ready devices [on or near Oct. 1, 2015] will be seen as the weak link in the chain.?
The majority of the cost is associated with the purchase and installation of the compliant devices such as PIN pads and fuel dispensers. ?This cost has to be compared to the cost associated with the liability shift,? noted the Midwest c-store retailer. ?Any additional cost could be associated to hiring consulting firms to assist with education and the EMV certification process. Many experts are stating the certification process is going to be very detailed and time consuming.?
However, Rob Nathan, chief technology officer at payments technology provider CardConnect, said the cost to upgrade to EMV isn?t as ?devastatingly expensive? as some believe. The best approach is to purchase hardware that is EMV-ready and provides point-to-point encryption (P2PE), along with software that handles tokenization for any storage of card data, he relayed.
?An ultra-secure P2PE and EMV reader costs $300 to $400,? said Nathan. ?Obviously, that adds up for a multi-location retailer with multiple checkouts in each store. But the retailer has to know it has flexibility. One simple option to mitigate the upfront cost is to rent the hardware.?
Whether retailers actually go ahead and switch to EMV-ready devices in mass during the next 12 months when the liability shift takes place is still in question.
?The banks have started moving along and have issued EMV credit and debit cards this year,? said McMeekin. ?That suggests retailers may begin to move along that haven?t already done so.?
The Payments Security Task Force revealed in August that a group of nine major banks it surveyed expect to issue more than 575 million EMV cards combined to customers in 2015.
IF YOU GET HACKED
No matter what efforts a retailer takes to prevent cyberfraud, breaches will still occur. If one takes place, from a public relations standpoint, retailers must make sure the message gets out quickly and reaches the masses, advised McMeekin.
?As a consumer, we live in a world where this type of thing is going to happen and you want to be informed and have the information as quickly as possible,? he said. ?It?s easiest to get the pain out of the way quickly and start to make corrective actions.?
If possible, retailers should be the first to break the news about the breach, communicate their plan for immediate action and let the public know they are not sitting idle, added Mike Starosciak, CardConnect?s head of marketing.
?Be prepared to respond to the flood of questions you will soon get from customers,? Starosciak said. ?Set up a page on your website dedicated to breach updates, and ensure your customer service team is prepared to deal with the influx of requests. And don?t forget about social media; respond to users quickly, directing them to your website or customer service line.?
From a technological standpoint, Ruden said if a breach occurs, retailers should immediately alert their POS acquiring software processor and their POS vendor. ?It?s very important to have a detailed forensic analysis. Plenty of organizations specialize in this,? he concluded. ?They are the ones that make sure you don?t have a repeat occurrence, which is absolutely critical. Frequently, I?ve seen merchants get breached and then six weeks later, it happens again because the POS wasn?t thoroughly and correctly investigated.?
?You need to identify your sensitive data. We put a lot of focus on credit data, but you may have loyalty data and employee data that you have gathered. Anything you don?t want someone in eastern Europe to look at, you need to identify.?
? Phil Schwartz, Valero Energy Corp.