LAS VEGAS --Smaller retailers are more likely to be victims of data thieves who attack the computers inside point-of-sale (POS) registers than any other intrusion, said a data-breach investigator speaking at a 2014 NACS Show technology track workshop.
Citing its 2014 study involving about 50 data-risk assessment firms, Kevin Thompson, a risk and intelligence researcher for Verizon, New York, told a group of approximately 100 attendees that the other two highest-ranking intrusion methods targeting small retailers were card "skimming" devices and web app attacks.
Describing small retailers as having 1,000 employees or less, Thompson said POS intrusion occurs most often with third-party desktop-sharing situations, where providers needing to access a company's computer systems can log in with approved passcodes.
In many cases of data breach, attackers try logging in as administrators, often using electronic methods to gain passwords.
"I call this assembly-line hacking," Thompson said. "Because it's a repeatable process from victim to victim, and it's something people can pay someone else to do for them."
Fortunately for smaller retailers, these incidents are typically less-sophisticated, "smash-and-grab" cases versus breaches reported at major retailers like Minneapolis-based Target, which he described as more fully planned missions akin to an "Ocean's 11 big score."
Hoping to help ease retailer concern, Thompson provided a few recommendations to fend off potential breaches:
- Disable remote desktop protocol. While it is less convenient to have third-party providers call for permission to get into a company's systems, Thompson countered: "I should want to have people call me [if they need] to log into mission-critical systems."
- Electronically put firewalls around data-sensitive areas.
- Use complex passwords.
- Restrict "administrator" access by limiting authorized employees.
- Restrict approved uses. So no "surfing."
- Implement an audit process.
Often, retailers don't detect their own breaches and wait for federal authorities or even customers to inform them of such attacks, Thompson said.
Members help make our journalism possible. Become a CSP member today and unlock exclusive benefits, including unlimited access to all of our content. Sign up here.