The first weeks of 2014 seemed to bring reports of new data breaches affecting retailers in the United States on nearly a weekly basis. Target, Neiman Marcus, Michaels and White Lodging (operator of several different hotel franchises) all reported data breaches or investigations into possible data breaches.
A key point in common among these reports: customer credit and debit card information was stolen and that the point of theft was the retailers’ point of sale (POS) systems. This is no accident and represents a fundamental shift in the security of the retail experience. Back in the early days of e-commerce, people would talk about how they wouldn’t shop online because it “wasn’t secure.” This wave of retail data breaches shows that attackers now view in-store systems as being more vulnerable than online shopping systems. The Target and other retail data breaches are a tipping point marking when many of us stopped saying that shopping online isn’t safe and started saying instead that shopping in-stores isn’t safe.
That we’ve hit this tipping point isn’t actually surprising. When we look at where retailers have been investing their money in technology and security these past few years, the focus has overwhelmingly been around online shopping and securing it. With the exponential growth of Amazon over the past fifteen years or so, all major retailers have felt the need to build and maintain a competitive online shopping experience. And those security concerns that made people wary about online shopping had to be successfully addressed to attract those potential shoppers. When we look at the fifteen years from 1999 until now, we’ve seen an unprecedented build-up in online shopping and the security needed to make the experience secure enough to instill confidence.
During this same period, though, we haven’t seen the same kind of growth around the security of retailers’ in-store networks and point of sale systems. While retailers have upgraded their point of sale systems over the years, the fact is that many point of sale systems in use today are older systems, many running Windows XP or other older versions of Windows and Windows Embedded. And most, if not all, point of sale systems lack very basic physical security protections. You don’t see the same aggressive focus on having the latest, most secure hardware and software on in-store systems that you do for the online shopping systems.
This also reflects a common bias in how companies approach security. Many companies take a much stronger security stance with their online properties than they do with their internal networks. Unfortunately the “we’re protected, we’ve got a firewall” mentality still prevails. Even though in-store networks are Internet-connected, they’re viewed as somehow better protected and less in need of advanced security as “Internet” systems (i.e. online commerce systems).
While these trends have been developing for years, they have come together now to create the situation we’re seeing today. In-store point of sale systems are being systematically targeted by sophisticated attackers because they are the weak point in these retailers’ electronic commerce infrastructure.
With this in mind, the question now is, what are retailers and credit card companies going to do and how quickly will they do it? Target has said that they’ll move to support so-called “smart cards” (also known popularly as “chip and pin”). These are widely used in Europe and elsewhere outside the U.S. Visa and MasterCard have said they want the US to switch over to smart cards broadly by October 2015. That will help thwart these kinds of attacks but that’s a long way out given how quickly events seem to be moving. And chip and pin isn’t a panacea: they’re harder to compromise than “swipe and sign” cards but they can still be compromised (typically by coordinating the capture of the data on the magnetic strip with a video capture of the cardholder entering their pin). And we have every reason to expect that sophisticated attackers will make cracking “chip and pin” a priority when the low-hanging fruit of “swipe and sign” goes away. In that regards it’s important to remember that Chip and Pin isn’t new technology. It has been around since 2002. It’s only new to the US.
So while retailers move to try and close the security gap between their online and their in-store shopping, I think we will still see a significant enough gap between those two experiences that online shopping will still be inherently more secure for the foreseeable future. In a way this is also expected: it’s easier to fortify and protect a single location than many locations. There’s a reason the United States concentrates its gold reserves in Fort Knox and the United Kingdom the Crown Jewels in the Tower of London. Looking much further down the road, it’s possible that this is the beginning of the end of retail point of sale systems entirely: retailers may one day carry this to its logical conclusion and run in-store purchases through their online commerce sites.
Whatever comes of this, though, it’s clear that these events constitute a tipping point for security and the retail industry. It marks the clear sign that online commerce is no longer the child to in-store shopping from a security point of view. Like many successful children when grown, it has surpassed its parent and is forging ahead on its own, in new directions.
Christopher Budd works for Trend Micro, focusing on communications in the areas of online security and privacy, incident response, and crisis communications. Prior to that, he was an independent consultant and before that a ten-year veteran of the Microsoft Security Response Center (MSRC). He combines his prior career as an engineer with his communications expertise to help bridge the gap between the technical and communications realms. Follow him on his personal blog or on Twitter @christopherbudd.
Credit Card image via Shutterstock