Many times bitten, retailers scramble to prevent another Target-like meltdown

Many times bitten, retailers scramble to prevent another Target-like meltdown

Summary: In the wake of devastating data breaches at Target and Neiman Marcus, the nation's largest retailers have launched an initiative to enhance their existing cybersecurity technologies and policies. But will it be enough?


If you were one of 120 million or more people who shopped at Target, Neiman Marcus or as many as a dozen other popular retail stores last month, there's a pretty good chance that your credit card or banking information was compromised by a highly organized band of Russian cyberthieves.

The frequency and sophistication of these retail data breaches have escalated to such a degree that last week the FBI sent leading US retailers a confidential report warning that point-of-sale malware similar to the type used to snare data from Target and Neiman Marcus registers is starting to pop up all over the place.

Beleaguered and bewildered, the Retail Industry Leaders Association (RILA) on Monday responded to the FBI edict by launching a comprehensive initiative to provide additional safeguards for customers' personal data in the "payment ecosystem."

See also: There's no hope for our payment systems

"Retailers place extremely high priority on data security and invest tremendous resources to prevent attacks, but cybercriminals are persistent and their methods of attack are increasingly sophisticated," said RILA President Sandy Kennedy. "By working together with public-private sector stakeholders, our ability to develop innovative solutions and anticipate threats will grow, enhancing our collective security and giving customers the service and peace of mind they deserve."

With POS systems connected to the internet, credit card processing and banking networks, some experts believe retailers have little chance of providing completely secure payment systems for their customers.

But RILA isn't giving up and offered up its lastest three-pronged attack on cybercrime:

First, it's forming a leaders council comprised of senior retail executives who will be charged with sharing threat information within the industry and discussing possible security solutions in a trusted forum. It will also lobby Capitol Hill to develop federal data security breach notification legislation to establish a "national baseline."

On the payments security front, RILA is advocating the elimination of the Mag-Stripe technology used on most credit and debit cards. Retailers want it phased out as soon as possible in favor of new technologies already deployed throughout the world including chip-based smart card technology and universal PIN security.

"In the event of a successful cybersecurity breach, the dynamic security features of such technology effectively prevent the use of stolen data," RILA officials said.

It also wants to forge deeper partnerships with other members of the payment cycle – banks, credit card processing firms, etc. – to collaborate on migration to near-term card security enhancements and long-term, comprehensive technologies and policies to prevent criminal activity.

Finally, the trade association believes there's an education element that needs to be improved, too. It wants to work with partners to describe to consumers exactly how data is used to provide the experience shoppers demand without compromising their privacy or financial information.

Even with these proposed improvements, retailers acknowledge that they'll likely only be able to manage the cybercrime plague rather than cure it.

"Enhanced security measures help to thwart attacks, but unfortunately some attacks have been successful and the resulting incidents have affected millions," Kennedy said.

See also:

Topics: Security, Data Management, E-Commerce


Larry Barrett is a freelance journalist and blogger who has covered the information technology and business sectors for more than 15 years.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • And this will be implemented.........

    when Hell freezes over, because it will have a negative impact on their bottom line in the short term, and long-term planning is considered to be delusional by the executives of these companies. Just make the next quarter's numbers, dammit! My bonus is riding on that!
  • Internet Stupidity

    "With POS systems connected to the internet"
    It was not a problem when POS system had their own, dial up or dedicated IDSN or T1 network directly to the payment processing system. The failure was connecting the system to a worldwide internet. There no reason why the target POS network need to be expose beyond the store and processing system. The solution is a separate network for enterprise transactions.
    • separate net

      Absolutely!! The PoS system should be on an INTRANET with NO public-facing access. It should use VPN tunnels for necessary connections.

      but that is Level 1

      while the victims are screaming about "sophisticated" attackers they carefully suppress key information. there was this note on the topic recently"
      =""Once inside the merchant's network, the hacker will install memory parser malware on the Windows based cash register system in each lane or on Back-of-the-House (BOH) servers to extract full magnetic stripe data in random access memory (RAM)." "

      once the attacker has malware into your system,.... you are "pwned" -- toast in regular terms.

      Level 2
      there are two rules to computer security:
      1. the operating system (O/S) must not allow itself to me affected (modified) by any application program that it is running.
      2. the system owners/operators must be able to control the activity (i/o and memory access) of every application program.

      merchants ought to immediately review and tighten up their PoS networks iaw Level 1 (as noted above). this they can start on TODAY.

      Level 3
      personnel can be the weak link in security. it is essential to have a separation of duties between network asdmins, o/s admins, db admins, and app analysts such that a single individual does not have enough authority to create a back-door opening to be used by hackers for an attack.

      Level 4
      a regular process of IT audit should be in place. this should audit software inventory (using CRCs and digital signatures) ,access rights, and network traffic. public facing internet traffic should be routed through a firewall so that the traffic analysis can be audited.

      Level 5
      removable media
      USB sticks, RW CDs and DVD can be used to ex-filtrate data. make sure these are available only on those parts of the net where sensitive data is not available.

      Level 6
      on call and remote access
      be sure this is only available via VPN if it is necessary to use it. best to have on-call personnel on site.
      • Advanced Smart Cards

        Level 7
        Advanced Smart Cards
        Fixing the Point of Sale Terminal (POST)

        THINK: when you use your card: you are NOT authorizing ONE transaction: you are giving the merchant INDEFINITE UNRESTRICTED access to your account.

        if the merchant is hacked the card numbers are then sold on the black market. hackers then prepare bogus cards -- with real customer numbers -- and then send "mules" out to purchase high value items -- that can be resold

        it's a rough way to scam cash and the "mules" are most likely to get caught -- not the hackers who compromised the merchants' systems .

        The POST will need to be re-designed to accept customer "Smart Cards"

        The Customer Smart Card will need an on-board processor, -- with PGP

        When the customer presents the card it DOES NOT send the customer's card number to the POST. Instead, the POST will submit an INVOICE to the customer's card. On customer approval the customer's card will encrypt the invoice together with authorization for payment to the PCI ( Payment Card Industry Card Service Center ) for processing and forward the cipher text to the POST

        Neither the POST nor the merchant's computer can read the authorizing message because it is PGP encrypted for the PCI service. Therefore the merchant's POST must forward the authorizing message cipher text to the PCI service center.

        On approval the PCI Service Center will return an approval note to the POST and an EFT from the customer's account to the merchant's account.

        The POST will then print the PAID invoice. The customer picks up the merchandise and the transaction is complete.

        The merchant never knows who the customer was: the merchant never has ANY of the customer's PII data.

        Cards are NOT updated. They are DISPOSABLE and are replaced at least once a year -- when the PGP signatures are set to expire. Note that PGP signatures can also be REVOKED if the card is lost.
  • some fairly simple configuration changes will thwart the current threat

    No need to spend millions on new systems or switch to already debunked card chip technology.

    The technology is already there, Its really simple if you know how.
  • scary

    It's scary how many of these attacks are happening!
  • Good news from Money2020 and The Aberdeen Group

    I agree that we need new technology to "effectively prevent the use of stolen data“.

    It’s next to impossible to stop data leakage. You can’t beat it completely,”, but using Old security is like "boiling the ocean" since you are trying to “patch” all possible data paths and sensitive databases.

    New proactive security approaches are assuming that you are under attack and focus on protecting the data itself, across the entire data flow, even in computer memory.

    The highly sensitive PII data must also be protected. We know that home address and email is already used by fraudsters in the Target case.

    Money2020 is saying that "Tokenization has been a hot topic lately" and "In a tokenization scheme, even if a hacker has access to several PAN-token pairs, the tokenization algorithms should be complex enough so that no perfect translation can be reverse engineered." at .

    I also found some good news in a report from the Aberdeen Group that revealed that "Over the last 12 months, tokenization users had 50% fewer security-related incidents (e.g., unauthorized access, data loss or data exposure than tokenization non-users". Nearly half of the respondents (47%) are currently using tokenization for something other than credit card data. The name of the study is "Tokenization Gets Traction".

    Ulf Mattsson, CTO Protegrity.
  • "scramble" ?

    Until they strip m$ windows off every networked device like, 10 years ago, they haven't BEGUN scrambling, let alone unscrambling their virii and worm infested sieve of a "network".

    They may have moved their back-end systems off windows but their POS clients and servers are highly vulnerable- they can keep patching and upgrading and calling FBI (when they do get clued in) but they will continue to be bitten again and again.
    • You have no idea what you're talking about, GrabBoyd

      so you really shouldn't comment on things as complex as this.
      • It really isn't that complex...

        Use a piece of crap for critical infrastructure, expect crap results.

        Why do you think the financial industry switched to Linux?
        Why do you think NASA switched to Linux?
        Why do you think the Air Force switched to Linux?
        • Once again, jesse

          You have no idea what you're talking about, so you really shouldn't comment on things as complex as this.

          Now, if you really want me to burst your bubble and post you a multipage list of hacked Linux based financial industry servers, l ask that you search yourself as I can't be bothered, and don't want to be responsible for you meltdown.

          Those Linux servers really stopped Snowden, didn't they? Oops, they didn't.

          As for the Air Force? Doubt they would tell you if they had.

          You're such an easy mark, jesse, almost too easy.
  • 2 way's to avoid the problem on POS

    is to compile the source on the individual POS device. Expensive? Yes, but not costly. Anything happens with the data leaking out, you would know the source of the problem.

    I get that retailers want to be able to use the internet to transfer data but they can setup their connections to pass through a double VPN tunneling.

    I don't understand how going to a chip instead of the magnetic strip would help.
    • What use would that be?

      If the idea is that some compiler generated metadata will tell you which machine is affected, that's hardly necessary. You can grab system metadata that is immutable (such as MAC address) for that purpose.