No Easy Fix for Point-of-Sale Security
Why is securing point-of-sale systems so hard, and what can retailers do to improve their PoS security postures?
Shoppers are surely getting nervous after a flood of credit card breaches at major retailers from Target to Home Depot that revealed vulnerabilities in point-of-sale (PoS) systems. Last month the U.S. Department of Homeland Security warned that more than 1,000 U.S. businesses were likely already infected with variants of the Backoff PoS malware, and urged all organizations, regardless of size, to check for possible infection.
Due to the volume of retail breaches already disclosed, JD Sherry, vice president of technology and solutions at Trend Micro, says more than half of the U.S. population has likely had some form of their identity compromised over the last 12 to 18 months.
There is seemingly no end to retail breaches in sight. In the past few weeks, Jimmy John's, supermarket chain Supervalu, Dairy Queen and Kmart all reported breaches resulting from problems with PoS malware.
PoS Security Tips
So what should retailers do in response? ABI Research senior analyst Monolina Sen suggests taking the following steps to secure point-of-sale systems from further attack:
- Use strong passwords (authentication mechanisms) to access PoS devices and employ antivirus tools
- Isolate the PoS production network from other networks or the Internet by deploying firewalls
- Keep point-of-sale software up to date
- Ensure only authorized applications run within PoS ecosystems
- Focus on proactive malware detection and respons
- Deploy smartcard (aka chip-card) enabled PoS terminals
- Provide end-to-end encryption starting from the point-of-swipe
- Data leakage/loss prevention solutions can also be used, and are a good idea, given that they can perform deep content inspection and contextual security analysis of transactions
Why PoS Security Is So Hard
Still, PoS security is often a moving target. Enterprise Strategy Group analyst Kyle Prigmore notes that each of the recently breached retailers had a different weakness.
"Target actually had an objectively impressive security architecture in place in terms of products, but failed to integrate their threat detection with an ability to contextualize their alerts," Prigmore says. "Home Depot had AV, but it appears they failed to update their OS/AV patches in a timely fashion."
It can be surprisingly challenging, Prigmore says, for large retail companies to solve problems with point-of-sale systems.
"It's easy for anyone to look from a distance and say, 'Retailers need to closely monitor third-party access, and they should have integrated security products and policies to enforce authentication, detect anomalies and respond to the most immediate threats while encrypting customer data before sending it offsite,'" he says. "Actually getting that done on a massive scale is a beast of an issue."
These kinds of changes "can unfortunately require a massive and expensive overhaul, which is why we usually don't see it until after a breach," Prigmore adds.
Trend Micro's Sherry says it's becoming increasingly difficult for companies just to keep everything patched and updated. "If you look at the explosion of virtualization and cloud computing, we're increasing exponentially the sheer number of devices and computing assets we're putting online, which means that as we grow in size, the opportunity for failing to keep current with patches keeps growing."
Still, Sherry says there are solutions worth exploring on the patching front. "New ways of doing this, such as virtual patching and vulnerability shielding that enables the infrastructure team to be much more fluid and dynamic with the remediation of vulnerabilities, is a key weapon that I think CIOs and chief information security officers really need to take a hard look at going forward."
Moving forward with solutions like that, however, will require vastly improved communication within organizations.
"People with security backgrounds in the organization need to be empowered to help make the right governance decisions and the right investment decisions – so CISOs need to have a direct line not only to the CEO, but also to be briefing and educating the board of directors about the latest in cyber security trends and issues and awareness," Sherry says.
Developing Secure Retail Software
Lev Lesokhin, executive vice president for strategy and market development at CAST, notes that it can be very hard, particularly in retail, to justify the expense of improving cyber security. "Retail is a tough business, margins are very thin, and unless something is absolutely necessary or is going to lead to obvious revenue, it's hard to spend money on things that may or may not bring a benefit," he says.
That's particularly true with regard to the security of a company’s own internal systems.
"You can deploy a firewall fairly quickly, you can deploy tools quickly, but when it comes to the way you build your software, that involves cultural change and new processes and education," Lesokhin says. "So I think that right now the need for better security practices in software development is fairly clear, but it's just going to take time for these organizations to catch up."
Recent research by CAST, Lesokhin says, found 91 critical input validation vulnerabilities in the average application in the retail industry. "And these are really big, complex applications that have been built for many years by many people, with a fair amount of turnover," he says. "So it’s hard to go back and find all of those issues and patch them up. It’s not something you can do at the drop of a hat."
The good news, Lesokhin says, is that security and quality are often linked.
"Most software engineers know that if you build a better system, a stronger system that's not going to crash by itself, those systems are also harder to break into," he says. "So the flip side is that, because now we’re going to see a pretty big emphasis on security, that's also going to help us elevate the overall level of quality in these systems."
EMV No Longer the Answer
ABI’s Sen says the lack of adoption of the EMV smartcard payment standard (a.k.a. chip and PIN) in the U.S. is one of the primary drivers for the repeated attacks on U.S. retailers. Still, she notes, EMV requires a significant investment, will take years to implement and won't improve security for card-not-present transactions such as online or mobile purchases.
As a result, chip and PIN alone won't be enough to protect retailers down the road. "The focus should be on developing technologies and techniques (such as end-to-end encryption and two-factor authentication) that would enable secure payment methods and protect consumers from evolving threats in the future," Sen says.
Trend Micro's Sherry says that while EMV was a good answer when it was first implemented in Europe 30 years ago, it's no longer the right answer for the U.S. "For Target to say that they're going to spend hundreds of millions of dollars, or whatever it's going to take to implement this, it’s a generation or two behind where the payment processing ecosystem is going," he says.
Mobile Payment Promise
Instead, Sherry says, the answers lies in using software-based solutions like Apple Pay, AliPay or PayPal for retail transactions. "That software-defined capability on smartphones is going to be the way transactions will be conducted in earnest in the next six to 12 months, as more and more people update to the new iOS platform, and as niche providers come in and offer services," he says.
Nicholas Percoco, vice president of strategic services at Rapid7, says there's an enormous amount of promise in a solution like that. "The technology and techniques being implemented in Apple Pay, if widely adopted, will basically render the transaction data worthless if intercepted," he says.
And CAST's Lesokhin notes that the process of implementing those types of solutions will also provide software developers with an opportunity to reevaluate security.
"Mobile payment is going to increase the amount of new development that retailers are going to have to do, and I'm hoping that they'll take the opportunity to use that new frontier of development to improve the robustness of their systems," he says.
There's one more key benefit of a mobile payment solution worth noting, Sherry says.
"At the end of the day people want less friction when they're trying to receive and pay for goods and services, and mobility is the wave of the future, so I think that's really where the market's going to be going," he says. "It's not going to be a physical credit card in your hand, whether it has chip and PIN or not."
Jeff Goldman is a freelance journalist based in Los Angeles. He can be reached at firstname.lastname@example.org.