Another day, another breach, or so it seems.
Both Target and Neiman Marcus have been victims of large scale compromise of customer data, including credit card data:
Aside from the large size of these compromises — tens of millions of payment card numbres — is the fact that they seem to have been carried off in the physical retail environment.
For a long time, the pattern of breaches we see reported in the press has been compromises of web sites or back office operations, and consumers have probably come to believe that if they were at risk at all (probably not many worry about this, given the volume of online purchases), they were at risk when shopping on-line but not in person.
The reality, however, is that a lot of fraud and identity theft happens in the physical world. Low tech attacks include “dumpster diving” to get personal information (discarded bank statements and the like), telephone based “social engineering” attacks (I call your bank or a retailer and pretend to be you) and in-person attacks (I visit the bank and try to impersonate you or I use a stolen truck to literally break off and haul away an entire ATM).
Now we are seeing mixed attacks. Point of sale systems are under attack, but sophisticated IT technology (such as RAM scrapers and code that sends home stolen data) are used as well.
This means that corporations have a much larger physical perimeter to protect — including their retail operations and “road warrior” users. However, the defenses have not really changed. They begin with physical security. In this case, that means hardened devices and locked server rooms, including in the retail world. Electronic defenses are the same as they have been for years — Encrypt filesystems, authenticate/authorize/audit both regular and privileged users, encrypt storage and transmission, deploy and maintain anti-malware and patches, etc.
The payment card industry actually has excellent standards for this stuff. “Payment Card Industry, Data Security Standards V2” (PCI-DSSv2) is clear, reasonable and explit:
One would hope that these retailers, and anyone else that touches credit card data, actually complies with these standards.
For those that need help, we do offer some assistance:
- Hitachi ID Privileged Access Manager to secure access to root, admin, DBA and service accounts.
- Hitachi ID Identity Manager to ensure users get appropriate access rights and have that access deactivated promptly and reliably when they leave the organization (a big deal in retail!)
- Hitachi ID Password Manager to securely and efficiently manage corporate credentials, lowering the risk of a user’s (weak) password being compromised and that user’s access then being abused.
The bad guys have upped their game. The good guys must follow suit.