Cover Story: Hack-Proof

• Facebook
• Twitter
• LinkedIn

Ed Freels has a digital superhero protecting his personal data.

It’s not a Minecraft avatar or even antivirus software. It’s a series of made-up answers to what street he grew up on, his mother’s maiden name and his first pet.

Why the mental maze? Protection.

If his identity is compromised, Freels can track the hack to where he wrote those bogus answers and, more important, he can prove he was a victim of identity theft.

Freels isn’t your typical computer user. He is the director of information systems for Worcester, Mass.-based Honey Farms and is part of a growing population of specialists seeking ways to protect himself and his company, and avoid becoming the latest business to fall prey to hackers.

The victims include many of retail’s biggest and brightest brands: The Home Depot, Target, Neiman Marcus. And each day, cyber thugs are slipping into corporate servers to find credit-card numbers, sniffing out people logging into their bank accounts and bullying movie studios into yanking major releases.

But don’t give up. Freels believes retailers—as businesspeople and as individuals—can take back the Internet and move from victim to guardian with a single, defiant choice. Or as he puts it: “You’ve got to put on the black hat.”

What will it take to go from feeling helpless to being vigilant?

Looking back at last year’s alleged cyber war between North Korea and the United States over the release of the Sony movie “The Interview,” it’s obvious the sophistication of digital mayhem has hit a new high.

But as Freels and the many other data-security sources contacted for this story believe, the way to combat the hysteria is through knowledge—of key terms (see p. 28), c-store-specific vulnerabilities and plain talk about the actual threats.

And at press time, the Obama administration announced potential legislation that would regulate data-breach reporting and security on a federal level, an issue that the Republican-controlled House and Senate seem willing to back.

This is the point in the article where we might tout the most dramatic, frightening statistics regarding data breaches. But if abject fact is a motivator, then know that point-of-sale (POS) intrusions—the focus of the latest mass-media hype—were actually down in 2012-2013 vs. 2010-2011, according to New York-based Verizon, the phone carrier that also has a data-breach research and auditing branch.

“Our understanding of risk should always come back to the data, not what makes good headlines and marketing fodder,” say authors of a 2014 report from Verizon.

A more relevant form of data theft in this industry is skimming. In 2013, 87% of documented incidences affected ATMs, according to the report. Although ranked No. 2, skimming at gas pumps accounted for only 9% of recorded events that year.

With ATMs located in thousands of establishments, c-stores are simply a subset of this statistic and a fraction of the larger POS issue on the pump side. But that’s not to say they are immune. Despite the high-profile Target breach, the Verizon report still says POS intrusions “from a frequency standpoint … largely [remain] a small- and medium-business issue.”

And beyond 2014’s “breaches of the month”—Kmart, Staples and Michaels, among others—c-stores also have been victims. According to various sources, these include 7-Eleven in 2012, MAPCO and RaceTrac in 2013, and last year, Giant Eagle and Pilot Travel Centers.

Businesses in 2014 suffered 249 breaches involving 65 million records, according to San Diego-based Identity Theft Resource Center. These businesses, which include banking/credit/financial, education, government/military and medical/health care, accounted for only one-third of all breaches but almost 80% of all compromised records.

As a comparison, Identity Theft Resource Center documented 614 total breaches in 2013 vs. 761 in 2014 (up 24%), but 9% fewer compromised records.

So the news is mixed. Breaches may be up, but the amount of files stolen has fallen. And at least for smaller retailers, the potential of a major organized attack is not very likely, according to Kevin Thompson, senior analyst for Verizon Cybersecurity Research & Innovation. Sophisticated attackers, he says, crave big payoffs, and such complicated hacks require a high degree of infrastructure.

Essentially, it takes money to make money.

The Fix: Awareness as a first step. All of the headlines about POS intrusion are good, Thompson of Verizon says. Awareness is an important first step. While as an industry, skimming at ATMs and at the pump is a greater threat statistically, POS intrusion and “insider privilege misuse” are also concerns for the channel, he says.

CONTINUED: How can hackers break into a c-store POS?

How can hackers break into a c-store POS?

Many POS systems are basic Windows computers but with programs for touch-screen overlays, says Thompson. That POS may have a firewall, but probably a weak password. And more than likely, it’s linked to a third party with remote access.

That POS is set up for what Thompson calls a “smash and grab.” In such a scenario, organized gangs in other countries can employ a “bot-net,” or a network of rentable computers, to launch automated attacks. These attacks seek any open path into POS registers in the United States via third parties (or if the registers themselves have Internet connections with weak passwords or no firewalls), using login names and password combinations over and over again.

Often visible as thousands of failed login attempts, these attacks can succeed with very little hands-on effort, especially if passwords are simple or, worse, common defaults such as “Admin.” Once inside, thieves can upload malware and begin stealing credit-card data in the moments before they get encrypted for transmission.

In a 2014 white paper, Trustwave Holdings, a Chicago-based data-security firm, said, “Many POS vendors may claim that their application encrypts card-holder data at the point of swipe, and they probably believe the claim to be true.”

However, before an application can encrypt the data, it resides in a buffer in memory, Trustwave says. Malware called “memory dumpers” can get into the POS, back-office system or on the payment switch and “strike at this split-second by copying the contents of that buffer into an output file.”

Much of this activity can go undetected, in many cases because hackers design the malware specific to the POS system. And data transported out can route through a variety of computers to mask the end recipient.

POS software manufacturer The Pinnacle Corp., Arlington, Texas, says its product does not hold primary access numbers (PANs). Pinnacle COO Drew Mize describes it as “something we eliminated completely years ago.” In addition, its encryption algorithms are more complicated than payment application data security standards (PADSS), which refer to Visa and MasterCard’s mandatory payment card industry (PCI) standards.

These days, some companies suggest rethinking the POS role altogether. At the NACS Show last fall, Wayne Fueling Systems, Austin, Texas, showcased a data-flow solution that puts payment processing at the fuel control box, with the POS acting as a peripheral device.

Similarly last year, San Jose, Calif.-based Verifone announced a system in which a personal-identification-number pad (or PIN pad) handled payments at the store. As Rob McMillon, vice president of product security for Verifone, explains, “[Our] device is purposeful, proprietary. It’s the difference between why a home PC has a virus but an iPad doesn’t. It’s because the hardware, software and the applications allowed to run on them are controlled and digitally signed with no easy way to install malware.”

As for its own Ruby and Sapphire POS models and its Commander site controller, Verifone is integrating the new PIN pads for compatibility. “We’re practicing what we preach,” McMillon says.

The Fix: Take a stand. The simple fact is that hackers must first get into a retailer’s POS system, says Bill Wade, senior systems analyst for PDI, Temple, Texas. So in most cases, the problem involves poor passwords and unenforced policies. “Everybody who uses a [register], computer or smartphone is potentially victim No. 1, so you ought to treat it like living in the middle of a pandemic,” Wade says. “If you get infected, you can infect everyone you have contact with.”

CONTINUED: How much would a risk assessment cost?

Hack myself? Why would I do that?

The types of measures data-security ninjas such as Wade of PDI espouse rely on testing and accountability. True data security happens when an entire organization is educated and vigilant. Wade suggests that people may prioritize data security only when individuals are found to be “patient zero,” or what he calls “the vector of intrusion.”

That’s what Freels of Honey Farms means when he talks about putting on the black hat. “How do you train a cashier unless you send in someone with a uniform and a baseball cap to say, ‘I’m here to spray for bugs’?” Freels says. “Then have that bug guy go into the back office, plug in a wireless sniffer [a device that checks for wireless messages] and walk right out. How do you train people to look for attacks unless you actually attack?”

For a few brave retailers, such an exercise has proven to be eye-opening. Jeff Williams, CFO of 70-store Tri-Star Services LLC, Nashville, Tenn., recently hired J. Stengel Consulting of Charlotte, N.C., to undertake a threat-management assessment.

Auditors looked at everything from network-related practices, such as how files were shared and which systems outside the office connected to the chain’s network, to how the company’s firewall and departments, cables and processes were segmented. They even checked to see if old login accounts from people who were terminated were still active.

At the store level, they examined Wi-Fi configurations and store security procedures. Williams describes it as a “holistic” approach that took a few months. What did they find? One big procedural mistake was allowing staff back at the home office to disable antivirus software. Staff would do it so their computers would boot up faster in the morning.

Passwords were also an issue, in some instances placed in plain view at the desktop or under keyboards, and in others being easy to guess—e.g., “123456” or “password.”

The Fix: Training and vigilance. Williams says security is a constant mindset, including IT sending out e-mails on the latest scams and strictly enforcing training for new employees.

“In this business, you have a lot of high turnover in hourly ranks,” Williams says. “Reinforcing training and putting it out there from both a safety and a security standpoint on a regular basis was a [lesson] for us.”

Tri-Star would track and follow up with employees until they were trained. “Then after, we’d periodically test  them—we’ll send them a dummy e-mail. If they click on it … it will pop up and say, ‘You just made a critical security mistake,’ ” Williams says.

CONTINUED: How much would a risk assessment cost?

How much would a risk assessment cost?

Pricing in this industry can range from a few thousand dollars to tens of thousands, depending on the scope, says John Stengel, president of J. Stengel Consulting.

Scoping the main office and one or two stores could run $5,000 to $10,000. If a retailer wants a complete assessment or audit, expect the cost to climb; an approximate multiplier would be $750 per location, says Stengel.

While many retailers prefer the more economical sampling approach, this is not necessarily sufficient. Consider that the most common entry point for a breach will be an individual store, with the aim to get to the main site.

“The goal is to start there, worm their way to the main site and then go to all of the sites,” Stengel says. “All it takes is for one store to have a weakness, which is why sampling [one or two stores] doesn’t work. … If there’s one weakness at store No. 3, we didn’t catch it because we were not allowed to look there. So you have to look at the whole apple, not just a slice.”

Finally, just because your business may be safe today doesn’t seal it from invaders months from now. “These things change all the time,” says Stengel, “with new devices and threats coming in. It’s better to do smaller assessments more often than a large assessment less often.”

The Fix: Spend what you can, when you can. If money’s a concern, Stengel suggests splitting the budget. If all you have to spend is $20,000, then spend $5,000 quarterly. Spread it out with different samplings and smaller bites; don’t do it all at once, because it will eventually be invalid.

CONTINUED: Are payment networks vulnerable?

What about payment networks? What are the vulnerabilities?

The massive breaches in 2006 and 2007 of a large discount retail chain and major payment processor for merchants involved network hacking, says McMillon of Verifone. Since then, more precautions have been put in place.

But data traveling over public networks is still a risk. “Exposed data in flight between the edge of the POS and host acquirer … remains one of the most vulnerable areas for which there are still limited solutions available,” says Mize of Pinnacle.

Retailers are taking steps such as encryption—encoding data unlockable only with a key code—and tokenization, in which data becomes a random series of one-time-use numbers. But the larger issue of exposed data in flight remains, Mize says.

Acumera, Austin, Texas, a provider of secure networks, builds and manages systems that restrict traffic to what’s necessary, says chief technology officer Brett Stewart. Physically, all the electronic devices in a store can link up to a single network perimeter security device—what people would think of as a router in their homes, but for a c-store—which has to manage network connections according to PCI rules. For example, the back office can communicate only with the corporate office, the POS can communicate only with a payment processor or the back-office PC for the pricebook, and the ATM can communicate only with an ATM network.

This practice of partitioning the devices into separate local networks is called segmentation. Without segmentation, all devices are connected to each other on the same in-store network. With segmentation, an HVAC vendor with remote access to the machinery in the store can do his job, but he can’t access the POS or other systems containing sensitive data because they are on a completely different network.

Segmentation and password protection are critical, especially if a store offers Wi-Fi to the public. “You can set up a network as a courtesy and give people a place to sit … and check e-mail. All of those things are great, but you’ve got good guys and bad guys,” Stewart says. “You’ve got to make sure you segment it away from critical [data] sources.”

For expense purposes, store devices often share a broadband network connection with guest Wi-Fi. The broadband network is a physical cable or cables that lead to the outside world. Stewart likens the network to a water pipe, with data being the water. That pipe could be glass or opaque.

“In the case of any device’s network connections, the connection can either be protected with encryption (i.e., opaque) or unprotected (i.e., transparent),” he says. “If you have a network that’s not protected by anything, your communications just aren’t private.”

Sophisticated breaches are another matter, and network attacks succeed through unexpected paths. Major breaches occur with tightly secured networks, says Stewart.

“There is now a prominent case where a technician went to a website he shouldn’t have at a coffee shop and got infected with a keystroke logger, then later logged onto an otherwise secure store network and typed in his password, giving the bad guys a way in. Since there was no segmentation, the bad guys had no trouble breaking into POS systems at multiple networked locations.”

Case in point is a recent break-in on the Veterans of Foreign Wars (VFW) website, says Rick Dakin, a security specialist with the auditing firm Coalfire, Louisville, Colo. “You’d ask: Why would anyone want to break into the Veterans of Foreign Wars website?” he says. “But if you think about how tight the security is at the Pentagon, you can imagine people from the military logging into the VFW website and then taking an infected system back into a secure network ... potentially with similar credentials.”

The Fix: Network knowledge and vendor confirmation. Retailers must typically trust providers to secure data or operate under strict guidelines. But asking serious security questions and having direct discussions are important steps, Dakin says.

CONTINUED: What about mobile?

What about mobile payment? Mobile apps? Loyalty? What are the risks?

When asked about mobile, Dakin chuckles as if Rome were burning.

“[Mobile] devices were never designed to be secure or conduct transactions over a shared network,” he says. “Do I have firewall on my smartphone or tablet? Malware protection? Logging or monitoring? Any level of advanced, persistent threat management? No.”

Acknowledging that retailers have to be nimble and responsive to the consumer, Dakin says, “It’s about asking the question, ‘How much risk am I taking into my facility?’ And then being prepared to defend against that emerging threat.”

If a retailer takes on a cloud-service provider, it should ask pointed questions about security provisions, risk management and compliance validation, Dakin says.

In the case of mobile payment, the process can introduce new elements outside of a retailer’s existing secure payment circle, Stewart of Acumera says. For example, the transaction pathway for a Quick Response (QR) code, wherein a person takes a picture of a QR code on the pump with their phone or uses geolocation to trigger the transaction, is different from the norm.

Instead of swiping a card at the pump and the authorization going through the in-store POS, the cellular link to the phone goes into the cloud and a “knock at the door” comes to the store, asking for authorization. This new “unsolicited authorization” puts elements of that transaction outside of the retailer’s control, Stewart says.

It also can present implementation challenges in that many stores do not have “static IP” or Internet protocol addresses. “Most stores have dynamic IP addresses,” he says. “Carriers can charge significantly more for static addresses than dynamic ones, so historically, networks may have been built with dynamic addresses, which can make the ‘unsolicited authorization’ of mobile payments harder to do.”

“It’s important that retailers do their due diligence,” says Vladick Rikhter, CEO of Zenput, a San Francisco company that provides retailers with mobile apps. “What types of security, certificates and standards do they follow? Who has access to their data?”

Software as a service (SaaS) or “cloud” technologies “in our space, with payment and loyalty and mobile technologies, don’t necessarily simplify data security,” says Mize of Pinnacle. “It may solve some issues, yet it adds another layer that has to be considered.”

The Fix: Be prepared. Getting answers to pointed questions is a strong start. But follow-through is just as critical.

“It’s a pain to dream up a password that meets complexity rules every 45 days, but everybody is a target now,” says Wade, who is also the chairman of the technology advisory committee at Conexxus, the tech arm of NACS, Alexandria, Va. “Every website you visit can be a personal threat. It’s a huge change in mindset where the Internet was a candy store, and now it’s candy laced with PCP.”

CONTINUED: What happens next?

What happens next?

Like any crawl-walk-run scenario, retailers at whatever level of technical sophistication have to start asking questions, the experts say. For Thompson of Verizon, the question is: How would you know that something bad is happening?

If someone put a skimmer on a retailer’s pump, how would he or she know? What about malware on a POS?

“Now I’m looking for the bad things,” Thompson says. “I’m going to have to [inspect] the pumps and find out what looks normal and where the seals are. Now I’m being proactive and not sitting back and waiting for law enforcement to tell me about a breach. I’ve moved out of the passive acceptor role, and I’m going to minimize these losses.”

The Fix: No magic bullet. Sorry. The experts say data security is only going to get more complex. But fear is not a solution. So breathe—and then ask another question.

CONTINUED: Top insider privilege threats

Insider Privilege Misuse

Perpetrators typically come from outside an organization, but security breaches can sometimes come from within. Unfortunately, as a Verizon report states, most insider misuse occurs within the boundaries of trust necessary to perform normal duties. Because of that, these crimes are difficult to prevent. Here is an analysis of incidents tracked in 2013.

Top 10 Threats

Note: Respondents could choose more than one answer.

Source: 2014 Data Breach Investigative Report, Verizon

Where Does Card Skimming Happen?

Note: 537 instances (assets affected within card skimmers) in 2013

Source: 2014 Data Breach Investigative Report, Verizon; numbers do not add up to 100% due to rounding.

CONTINUED: How to deter, identify skimming

How to Deter, Identify Skimming

The biggest data-security threat facing c-stores is still skimming, says Phil Schwartz, manager of information systems for Valero Payment Services Co., San Antonio. “Most criminals aren’t looking for the hardest way to do things,” he says. “Skimming is easy. You hook up a Bluetooth device that you don’t have to retrieve, and there you go.”

Schwartz suggests ways to deter or spot skimmers:

• Take pictures of the inside and outside of pumps so you know what the original equipment looks like.
• Use stickers on dispensers that can tear when breached.
• Inspect dispensers on a regular basis.
• Jiggle card readers for any looseness.
• Visit the Conexxus website (conexxus.org) for inspection guidelines.

A Retailer’s Story: Someone Bought a Car with My Credit Card!

For Raymond Huff, president of HJB Convenience, Lakewood, Colo., a chain of more than 20 Russell’s Convenience Stores in Colorado, California, Michigan and Hawaii, data security is not only a business challenge but a personal one as well.

You travel a lot; what differences have you seen in how other countries handle data security and payment security, compared to the United States?

The biggest change when you go to Europe from America is that the credit card never leaves your sight. If you’re at a restaurant, they bring the terminal to your table, you give them the card, and it will swipe (if swipe only), but normally they put it in and read the chip. In America, of course, it’s completely different.

You had two incidents in which items were fraudulently stolen on your Visa and AmEx cards. Can you tell us about that?

On the Visa, I was in Paris with my wife. I checked my credit-card statement and someone spent $19,000 on a used car in Utah. So I called the credit-card company. They said, “You normally do big purchases like this.” I said, “I don’t buy a car on it. Why would I be buying a car while I’m in Paris?” Visa ended up covering the charge after I signed a document to show it wasn’t mine. With AmEx, they caught someone using it for an online game, immediately canceled the card and said they were sending a new card. … In that case, it was only $200.

You’ve talked favorably about chip-and-PIN technology. Why do you prefer it?

My [identity theft] always happened when I was coming back from Europe, which means people in Europe know Americans have a problem—it’s opportunistic. All credit-card companies are very reticent to make changes, but I think they’re suffering substantial losses. I’ve had at least $19,000 charged fraudulently this year and four new cards replaced. You have to keep up with what’s next. It’s next to crazy—just put chip-and-PIN in it and be done with it.

Have you upgraded your stores?

I’ve already bought readers for chip-and-PIN cards for my stores. I have a sophisticated customer demographic because my stores are all in office buildings, so many of them have asked about chip-and-PIN or Square.

How do you handle payment cards?

The only time that card is not encrypted is while it’s being scanned—only while it’s against the reader. … We keep no credit card or consumer information anywhere on site. We let the third parties handle that.

Do you fear hackers?

We’re attacked constantly. I can look at our server and [see] we are getting three to four Java attacks. We use enterprise-level security software to track the hacking attacks. We track them all.

Tying Terms to Security

Sometimes that feeling of powerlessness over data security comes from not knowing how the pieces fit together. Here’s a quick rundown of key terms:

Antivirus Software

A program that searches computer hard drives for viruses. Simpler programs seek out known viruses, while more complicated ones look for actions of general viruses. Such software should include updates that keep up with the latest strains.

Exploit Kit

A Web application criminals can use to set up phony websites and bait people with email ploys. Once lured in, victims unknowingly download malware that could be used in data theft.

Firewall

A firewall system can be hardware, software or both. Its purpose is to prevent unauthorized access to and from a private network.

Malware

Short for malicious software, malware is a program designed to disrupt a computer system.

Whitelist

It’s a term for emails or Internet protocol (IP) addresses that a company’s IT staff have deemed acceptable and can flow into a computer network.

Cellular vs. Wi-Fi

Two categories of wireless Internet access. Cellular is everywhere, but it may be poor or nonexistent within a building and in rural locations. Wi-Fi is only within a confined area and is tied into a nearby wireless Internet source. Differences are in speed and levels of security vulnerability.

Sources: Dictionary.com, PC Magazine Encyclopedia, Verizon, Webopedia.com

Members help make our journalism possible. Become a CSP member today and unlock exclusive benefits, including unlimited access to all of our content. Sign up here.