Cisco on major retail hacks: Point-of-sale hardware is the problem

Summary:Cisco says credit card data is more susceptible to interception while stored at the point-of-sale terminal, thus leaving the door open for attacks like the one on Target.

zdnet-cisco-card_structure_2

Major security breaches like those experienced by Target and Neiman Marcus recently have consumers and investors in a frenzy with questions, likely losing faith in the safety of these brands (and others) by the minute.

Cisco's Threat Research Analysis & Communications team has published a memo with some possible answers as to just how credit card data stored in the magnetic strips on the cards themselves could have been manipulated -- for more than 70 million people no less.

Essentially, the point-of-sale terminals themselves are flawed, offering the frightening suggestion that the card information is valuable with or without PIN numbers thought to lock that stuff down.

Cisco warned that these threats, as demonstrated by the record-breaking breach at Target that lasted for a good chunk of the holiday season, are ever present because POS solutions typically include third-party software installed on a computer/terminal.

It is here, they identified, that the credit card data is more susceptible to interception while it is stored in memory before the encryption process and transmission across a network.

Levi Gundert, a technical lead on Cisco's threat research team, stressed in the report that the threat to POS terminals is "real" and "will continue unabated until the technological barriers to entry are raised significantly."

Gundert continued:

If POS hardware encryption remains an unjustifiable business expense, companies should re-examine security policies to ensure that payment card data is included in the critical data category. This is data that must receive a logical and operational moat to ensure absolute detection of unauthorized access and irregular movement. There are too many ways to initially compromise the network; rather it is the internal critical data that must be identified, segmented, and monitored.

Gundert and company went into detail about taking more proactive steps in preventing such a catastrophe in the future, most of which boils down to the simple mantra of upgrading hardware and software. Such a task is admittedly difficult to maintain for smaller retailers, but one could argue that larger, public companies such as Target and Neiman Marcus have no excuse.

Nevertheless, Gundert acknowledged that "focusing exclusively on intrusion prevention is a lost cause," advising that the first reactive step is locating where the payment data has been copied.

In the case of Target, the big box store has already said it is being assisted by the U.S. Secret Service, among other law enforcement agencies.

Beyond that, however, Target has mentioned little more about the progress of the investigation, although it has been reported that the credit card data has been sold on digital black markets around the world by now.

Image via Cisco

Topics: Security, Cisco, E-Commerce, Networking, Privacy

About

Rachel King is a staff writer for CBS Interactive based in San Francisco, covering business and enterprise technology for ZDNet, CNET and SmartPlanet. She has previously worked for The Business Insider, FastCompany.com, CNN's San Francisco bureau and the U.S. Department of State. Rachel has also written for MainStreet.com, Irish Americ... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.