How The Target Credit Card Breach Could Have Been Avoided
By now, you’ve probably heard about the credit card data breach that occurred at Target and other retail chains over the holidays. While Target hasn’t released all the details of what happened, malware was supposedly involved and many believe the culprit was a nasty bit of software known as BlackPOS. Some are also speculating that malware similar to BlackPOS, called Reedum, was to blame.
Since the news of the breach hit, there have been many questions posed. How could this happen to Target, supposedly one of the most technically advanced retailers? Is encrypted data truly safe? Would EMV have prevented the breach? Does PCI compliance have any value?
Regardless of the questions being asked, let’s be clear about one thing: the Target breach could have been prevented and the data of your customers can be made safe. Today. With no chip-and-PIN or EMV.
First, let’s talk about antivirus. I’ve reached out to a handful of antivirus/anti-malware providers and the ones who responded (AVG, Bitdefender, and ThreatTrack Security) for this article told me that they would have detected and removed BlackPOS (Trojan.Win32.Kaptoxa). If your customers are running a Windows-based POS system, you should be selling them antivirus. In fact, offering to keep definitions up to date and ensuring all devices are protected can become a recurring revenue opportunity for you. The cost of downtime or fines from having credit card data stolen far outweighs the cost of AV and should help you successful sell it.
But what if something new and unknown attacks? Definitions for Reedum were added to Symantec’s library on Dec. 18, 2013, possibly too late to prevent a breach at Target, assuming Reedum really was to blame. Luckily, there are still ways to ensure data security.
Policies on the local machines can prevent services from running that shouldn’t be. Heck, policies can be set to disable the installation of software, use of USB drives, etc. to make the local installation of malware next to impossible. Also, there are all sorts of basic security measures related to authentication that can be easily put in place.
Next, there’s no reason POS terminals should be able to freely access the Internet. Intelligent network design can prevent data from being sent outside the walls of your operation. “The Target incident, as well as other breaches involving POS malware would not have been possible if the POS systems had been rendered inaccessible from the external network,” says Bogdan Botezatu, senior E-threat analyst for Bitdefender. “Additionally, retailers should at least restrict outbound access from the POS in the firewall in order to prevent credit card information from being uploaded to the Internet in the case of an infection.” Firewalls and network segmentation can help prevent data from going where it shouldn’t.
Last year I was introduced to a company named PacketViper that does some cool network filtering. In simplest terms, PacketViper is a network appliance that can, with a few clicks, block access to countries or parts of countries. Think about it. Is there any good reason why a retail associate should need to access IP addresses in Russia or a Russian IP address should be accessing ports on your network? Such a device could sit on a retailer’s network and prevent people, or malicious code, from accessing countries or areas that simply shouldn’t need to be accessed.
“The key is layered security,” says Dodi Glenn, senior director of security intelligence and research labs at ThreatTrack Security. “One application will not protect everything.”
With all these solutions in place, a store clerk who is trying to install some evil piece of code first has figure out how to deploy the malware, then get past the antivirus running on the local terminal. If they can somehow do that or if the malware is too new to be detected, they’d be blocked by the firewall or network segmentation when trying to access the Internet.
Recommending such products and changes to policies is the value a reseller should provide.
If you haven’t spoken to your retail customers about the Target breach, I recommend you do so immediately. You can bet that they’re reading up on the breach, have all sorts of questions and concerns, and are probably getting solicitations from other solutions providers promising to make them safe and feel secure. Next, offer to improve their data security by using antivirus tools, firewalls, and smart network design.
Step up and become the trusted adviser. Leverage the knowledge and solutions already available to make your customer’s data secure. Finally, think of security not as a one-time act, but as a recurring service you should be providing to your retail customers on an on-going basis.