Cisco on major retail hacks: Point-of-sale hardware is the problem

Cisco on major retail hacks: Point-of-sale hardware is the problem

Summary: Cisco says credit card data is more susceptible to interception while stored at the point-of-sale terminal, thus leaving the door open for attacks like the one on Target.

SHARE:
zdnet-cisco-card_structure_2

Major security breaches like those experienced by Target and Neiman Marcus recently have consumers and investors in a frenzy with questions, likely losing faith in the safety of these brands (and others) by the minute.

Cisco's Threat Research Analysis & Communications team has published a memo with some possible answers as to just how credit card data stored in the magnetic strips on the cards themselves could have been manipulated -- for more than 70 million people no less.

Essentially, the point-of-sale terminals themselves are flawed, offering the frightening suggestion that the card information is valuable with or without PIN numbers thought to lock that stuff down.

Cisco warned that these threats, as demonstrated by the record-breaking breach at Target that lasted for a good chunk of the holiday season, are ever present because POS solutions typically include third-party software installed on a computer/terminal.

It is here, they identified, that the credit card data is more susceptible to interception while it is stored in memory before the encryption process and transmission across a network.

Levi Gundert, a technical lead on Cisco's threat research team, stressed in the report that the threat to POS terminals is "real" and "will continue unabated until the technological barriers to entry are raised significantly."

Gundert continued:

If POS hardware encryption remains an unjustifiable business expense, companies should re-examine security policies to ensure that payment card data is included in the critical data category. This is data that must receive a logical and operational moat to ensure absolute detection of unauthorized access and irregular movement. There are too many ways to initially compromise the network; rather it is the internal critical data that must be identified, segmented, and monitored.

Gundert and company went into detail about taking more proactive steps in preventing such a catastrophe in the future, most of which boils down to the simple mantra of upgrading hardware and software. Such a task is admittedly difficult to maintain for smaller retailers, but one could argue that larger, public companies such as Target and Neiman Marcus have no excuse.

Nevertheless, Gundert acknowledged that "focusing exclusively on intrusion prevention is a lost cause," advising that the first reactive step is locating where the payment data has been copied.

In the case of Target, the big box store has already said it is being assisted by the U.S. Secret Service, among other law enforcement agencies.

Beyond that, however, Target has mentioned little more about the progress of the investigation, although it has been reported that the credit card data has been sold on digital black markets around the world by now.

Image via Cisco

Topics: Security, Cisco, E-Commerce, Networking, Privacy

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

4 comments
Log in or register to join the discussion
  • All U.S. credit cards suffer from the classic "replay attack" vulnerability

    While I find the information in this article interesting, the real story is that payment card fraud could be all but eliminated, if the issuing banks were to embrace technology that has existed for several (7+?) years. Just one of the technologies that could be used are 'dynamically' created or changing card numbers that are only valid for one time and by one merchant.

    One perceived roadblock to a wider acceptance of "one time use" credit card technology
    is that merchant Point-of-Sale (POS) systems would need to change. This is not entirely true.

    Check out a company named Dynamics Inc. based in Pennsylvania that has a product that can encode the one-time-use card number onto the magnetic stripe(s) on the back of the card. This enables standard, existing POS card readers to work seamlessly with the newer technology.
    A card number that is only good for one transaction at a time, cannot be [re-]sold by criminals.

    Again- whether or not card data is stored at the POS terminal is irrelevant, if the data itself
    (the card number) is changing with every transaction.

    See Dynamics Inc.'s webpage (/Corporate/Products) and their "Dynamics Inc. - Enabling Payments 2.0®" Dynamic Credit Card via archive.org [http://www.dynamicsinc.com/Corporate/products_dynamic_cc.php]
    Here: http://bit.ly/19fbXKb (last archived by archive.org on Oct. 1st, 2013).

    The single most frightening thing anyone could say that should be the catalyst for the
    card industry to move toward changing the 1950's card technology that we currently endure is "I'm just going to pay cash and stop using credit cards". Of course that'll never happen and as long as everyone continues to believe the myth that "all we can do" is to
    cancel compromised cards and pay extra for "account monitoring", recover from identity
    theft best we can, yada, yada, yada.

    The news story that consumers should be hearing is that card skimming fraud could
    have been eliminated years ago. I believe any merchants that get compromised, are also
    victims themselves, victims of our current card technology that hasn't evolved significantly
    since it was first introduced in the 1950's.

    Target, Neiman Marcus, every merchant, and every consumer that has ever suffered financial, personal-data, or identity theft losses due to the inherent security flaws in (U.S.) credit card transactions, should hold the Payment Card Industry (including issuing banks) responsible.
    johnlindemann@...
  • Move CC processing to stand-alone terminals

    The only safe course is to never let the card data touch a hackable general-purpose OS like Windows. It's better to equip each salesperson with a stand-alone CC terminal that runs its own protected, non-Internet-connected software and encrypts the card data end-to-end from its swiper or keypad to the processor. The salesperson then just enters "Paid" on the POS station (and maybe the card's last four digits). It goes without saying that this data should also not be stored by the retailer -- it can't be stored anyway if processed this way.
    Salespeople won't like the slight added complexity, and not being able to look up card data for later re-use. But they also wouldn't like the draconian lock-down that would have to be applied to their workstation to keep it even halfway protected against malware.
    jirving@...
    • That's untenable.

      That's like using the old credit card machines- The old school compression method, where the card is imprinted on paper. How would you process a return if you did that? And how else would you be able to process the order? Most of the merchant providers run the card via the Internet, and then serve up a response: Approved, Insufficient Funds, Card not valid, etc. Work in retail in a big box store for a week, and you'll understand why your idea isn't valid.
      Highlord Fox
      • Returns, etc. can be processed...

        My bank offers a service called "Virtual Account Numbers" which is the software equivalent of the concept I mentioned earlier.
        My "real" card account is used to generate the one-time-use card numbers, and I'm billed the exact same way as if I had used my "physical" card.

        Another benefit is that once a merchant runs the approval using the software-generated card number, that merchant is the only merchant that can ever use that number. So, it's "wide open" to be used by any merchant immediately after being generated... until the first merchant attempts approval, then it's 'locked-in' to that merchant.
        From then on, that merchant is able to credit my account in the event I return the product, or continue to charge [that] number until the dollar amount is reached (which I can set), or I "close" that number.

        I don't care whether or not the merchant stores a 'generated' number, since I retain control over it -something that's not possible if my 'physical' card number is used (aside from calling my bank and having the merchant's charge reversed, etc.).
        It's also secure, since anyone who managed to 'hack' or 'skim' my 'generated' number- can't use it. Only the original or first merchant can ever use that number.

        It works brilliantly and I've been enjoying this service for years.
        If this [software] technology were to be built into a physical card, and Dynamic's Inc.'s mag-stripe technology were used to encode the one-time-use number onto the back of the card, many if not all of the problems we see today with our antiquated card processing systems could be mitigated (if not all but eliminated).

        The hundreds of thousands of existing classic mag-stripe readers/POS terminals don't need to change overnight to support this. The card issuing banks, however, do need to start giving consumers a product that is inherently more secure and stop kicking the problem down the road and pushing the costs onto merchants & consumers.
        johnlindemann@...