Some retail stores apparently either do not have a Chief Risk Officer or apparently pay them no heed at all. A while back I posted a security blog entry called A Year after TJX: Have we learned anything? According to the recent announcement from the department of Justice, the answer is an emphatic 'Not Hardly.'
Lets look at some brief numbers.
11 people.
40 million credit card numbers.
And the number I find most incredulous? This all happened over 5 years!
The primary method of entry into these networks? In many of the cases, an unsecured wireless network that allowed free traffic between the wireless network segment and networks which handled sensitive PCI data. Think about how many wireless-based information compromises we have seen in just 2 years!
Some of the more publicized compromises:
| August 2006 | Dollar Tree | Total Compromises Unknown |
| November 2006 | IRS | 2,359 |
| January 2007 | TJ Maxx | 45,700,000 |
I am interested to see what the total cost of these compromises at the affected retail firms comes out to be inclusive of lawsuit settlements, et al. My thinking is that there would be a very comprehensive business case possible for security professionals to work on locking down or completely re-deploying wireless segments. Particularly in locations which allow public traffic such as malls and public retail stores.
In the case of the Dave and Busters compromises, the physical security of several computer-based register terminals was compromised in order to install sniffing software on the endpoint -- in at least 11 D&B locations. While the latter compromise is still onerous, I can at least understand the attack vector being an unrecognized vulnerability. Its something any security or risk officer should be aware of but at least there was a physical compromise component to the attack. Computer-based terminal endpoints acting as registers for the bar, token/credit purchasing stations, various areas of the restaurant, all make for endpoints to target. This vulnerability also holds true for many other retail locations. Think of any time that you have been in a retail store where one or more registers has been "open" and unlocked with no staff around for at least 15 feet in any direction. We have all been there and seen it.
Lets hope that the retail industry does a better job of recognizing the potential for a repeat of the unattended-POS-terminal attack vector. Sadly, given the poor showing in this case, I am not as confident as I would have been before this announcement. Following TJX, the PCI standards tightened somewhat mandating protection against wireless connected network segments and ensuring that networks with payment information needed to be encrypted in transit. Apparently those mandates came none too soon.
Although I have to question: How many legacy card reading devices are there still out there? My latest cab fare, for instance, used an older style reader that printed the card number, name, expiration date, etc as clear text. How can we be sure in this world of fully electronic payment?