Cisco on major retail hacks: Point-of-sale hardware is the problem

Cisco says credit card data is more susceptible to interception while stored at the point-of-sale terminal, thus leaving the door open for attacks like the one on Target.


Major security breaches like those experienced by Target and Neiman Marcus recently have consumers and investors in a frenzy with questions, likely losing faith in the safety of these brands (and others) by the minute.

Read this

Target's data breach: It gets worse

Target said names, email addresses and other data was stolen and could affect up to 70 million customers. This disclosure comes on top of a payment card breach outlined in December.

Read More

Cisco's Threat Research Analysis & Communications team has published a memo with some possible answers as to just how credit card data stored in the magnetic strips on the cards themselves could have been manipulated -- for more than 70 million people no less.

Essentially, the point-of-sale terminals themselves are flawed, offering the frightening suggestion that the card information is valuable with or without PIN numbers thought to lock that stuff down.

Cisco warned that these threats, as demonstrated by the record-breaking breach at Target that lasted for a good chunk of the holiday season, are ever present because POS solutions typically include third-party software installed on a computer/terminal.

It is here, they identified, that the credit card data is more susceptible to interception while it is stored in memory before the encryption process and transmission across a network.

Levi Gundert, a technical lead on Cisco's threat research team, stressed in the report that the threat to POS terminals is "real" and "will continue unabated until the technological barriers to entry are raised significantly."

Gundert continued:

If POS hardware encryption remains an unjustifiable business expense, companies should re-examine security policies to ensure that payment card data is included in the critical data category. This is data that must receive a logical and operational moat to ensure absolute detection of unauthorized access and irregular movement. There are too many ways to initially compromise the network; rather it is the internal critical data that must be identified, segmented, and monitored.

Gundert and company went into detail about taking more proactive steps in preventing such a catastrophe in the future, most of which boils down to the simple mantra of upgrading hardware and software. Such a task is admittedly difficult to maintain for smaller retailers, but one could argue that larger, public companies such as Target and Neiman Marcus have no excuse.

Nevertheless, Gundert acknowledged that "focusing exclusively on intrusion prevention is a lost cause," advising that the first reactive step is locating where the payment data has been copied.

In the case of Target, the big box store has already said it is being assisted by the U.S. Secret Service, among other law enforcement agencies.

Beyond that, however, Target has mentioned little more about the progress of the investigation, although it has been reported that the credit card data has been sold on digital black markets around the world by now.

Image via Cisco

Show Comments