Comment: PIN the blame on vulnerable retailers for data breaches

There has been great advancement in recent years in the way we pay for things. In addition to credit cards, we now consider contactless, PayPal, online and even mobile payments the norm. Our credit card information has never been more readily available, and when making payments we rely on retailers' technology; whether paying in a shop or online. But, few appreciate how vulnerable this technology currently is.

Sophos' 2014 Retail Security Barometer, conducted by Opinium, investigated the attitudes of 250 UK retail IT decision-makers towards cyber security and data protection. The research demonstrated that, despite being aware of the increasing cyber security risks, retailers aren't imposing the correct level of IT security or staff training. The research also identified an overconfidence in the retail sector: 87% of UK retailers said they were confident they have adequate security in place to protect customer data. However, when asked what protocols were in place the research discovered 72% of UK retailers were not implementing the fundamental security required to safeguard business and customer data at a very basic level.

The simple way to clone a card  

Some of the technology retailers use is open to some pretty basic attacks. British chip and PIN cards follows the British EMV specification, however this has backward compatibility with the US, meaning that the magnetic stripe can also be used to make payments in places which don't support EMV or chip and PIN.

Cloning a card is simpler than you realise. It's easy to obtain a credit card reader and writer and all an attacker needs to do is swipe the card through the machine and they can see all of the information on the magnetic stripe including the credit card number, the name on the card as well as the expiry date. A scammer would then take an old credit card and swipe it through the same machine to write the new data onto it so it looks fully authenticated. This card could then be used to make a payment on any terminal which doesn't support EMV.

What is worrying is how easy it is for these cloned cards to be used in shops. The research found 34% of UK retailers did not have training in place to teach staff how to recognise credit card fraud. After all how many checkout attendants would ensure the long number on the card matches the one that appears on their screen. 

A cyber criminal’s prerogative

The goal of a cyber criminal is to steal large amounts of data all at once, as we saw with the famous Target breach, when cyber criminals infected point of sale (PoS) devices with malware before they even got to the retailer. PoS systems touch an unprecedented number of customers' data and many have glaring security weaknesses.

If a PoS system is running malicious code, it's relatively easy for the attacker to connect to the system through the internet. The attacker could run a simple command from across the other side of the world and access a copy of the memory which will give them all of the credit card data that has gone through that PoS without anyone knowing.  

Phishing – the attackers' dream  

Increasingly, cyber criminals also focus on online attacks, and at Sophos Labs we see around 30,000 new compromised websites each day. The most popular form of online attack is phishing, where a user is lured to a site which looks identical to the payment page they were expecting, and convinced to input their card details. Victims access the site by either clicking on a link in an email or being redirected from a legitimate site which makes it much harder to decipher if a site is real or not.

Shutting your front door but leaving your windows wide open

Often breaches are the result of incredibly simple failures of policy, training or technology and not the result of cyber criminals being particularly clever, which means more often than not breaches could be avoided. For an industry responsible for holding and safeguarding so much sensitive customer data, it's worrying to see the level of over confidence and lack of awareness surrounding cyber security. The majority of retailers acknowledge that they rely primarily on barebones protection, such as firewalls (77%) and anti-virus (33%) which is essentially the same as shutting your front door but leaving your windows open.

It is vital retailers take on the responsibility of ensuring adequate cyber security measures are in place. Here are some basic steps retailers can take to drastically improve their security:

By ensuring these steps are taken UK retailers can safeguard customer data and protect themselves against hackers. 

Click below for more information:


What’s Hot on Essential Retail?