Is the IT industry to blame for the success of Point-of-Sale malware?

Is the IT industry to blame for the success of Point-of-Sale malware?
Is the IT industry to blame for the success of Point-of-Sale malware?

Eddie Bauer is the latest in an alarmingly long, and growing, list of data breach victims for whom 'point-of-sale' and 'malware' shall forever trigger the night terrors.  The US-based outdoor clothing retailer saw its in-store point-of-sale (PoS) system infected for six-months, during which time payment card information may have been accessed.

Quite rightly, organisations such as Eddie Bauer will suffer brand damage if security is found to be lacking. But what about the reputation of the IT security industry itself in the wake of these successful PoS attacks?

Should the IT security industry be looking inwards at itself and asking if the available solutions are too expensive, too complex or there's another reason that successful PoS attacks are becoming so commonplace? Stephen Gates, chief research intelligence analyst at NSFOCUS told SCMagazineUK.com that "most manufacturers fail to realise how vulnerable their PoS systems are" and in addition "few cybersecurity vendors build technology specifically designed to protect these systems."

Chester Wisniewski, principal research scientist at Sophos is also looking at the PoS vendors who, he says, “rather than making the effort to secure PoS terminals and software correctly, simply ignore the problem and let merchants become the victims.” The vendors who manage and sell terminals often “haven't bothered to take known precautions to protect merchants for more than 20 years” Wisniewski insists “like using long, complex, unique passwords and protecting their own methods of accessing their customers' systems.”

There's no denying that organisations must take it on the chin and enforce access, authorisation and accounting when it comes to employees accessing internal systems. The thing is, it's not just employees they have to worry about. Most PoS attacks, including the recent Wendy's attack, start with a compromised third-party account.

“In the case of Wendy's, and many others, their PoS machines are maintained by a third-party specialist company” says Centrify security strategist, Chris Webber, who continues “these third-party accounts are juicy targets for attackers, as they have direct access from across the Internet into the heart of the credit card information system.”

So why aren't these obvious points of entry being properly protected? “One of the problems in retail IT is that retailers often have multiple service providers and suppliers to coordinate” warns Kevin Burns, head of solution architecture at Vodat International, “and often lose sight of who can access what.”

While there is, as Jens Monrad, principle systems engineer at FireEye admits “a lack of visibility and control in the connection between enterprise infrastructure and payment environment” in many of these breaches, for every company that falls victim to a breach "there are hundreds of others who successfully keep the attackers at bay” as Netwrix CEO Michael Fimin says. “The industry has delivered plenty of technology capable of providing the necessary level of protection for companies” Fimin concludes. So why is it not being used, or at least not being used right across retail?

Travis Smith, senior security research engineer at Tripwire, reckons “locking down point of sale networks can be easier said than done” and that “retailers may not have an appetite” for migrating to a segregated network in today's competitive marketplace.

While Liviu Arsene, senior e-threat analyst at Bitdefender, thinks that “sometimes it's just a matter of policy, security best practice, and employees being sufficiently security-savvy” that's the problem.

Chris Strand, senior director, compliance and governance programmes, Carbon Black meanwhile does blame "the complexity of PoS networks” as well as “the business role that PoS systems play in the business model" when it comes to creating barriers to successful security solution entry.

In the US, where we are seeing most of these PoS attacks, cost is front and centre. The US trails Europe with the adoption of chip and pin systems, and retailers are having to shoulder the primary responsibility (and cost) for speeding this up. They also face “significant costs in terms of replacing hardware, training staff and educating consumers” according to Fortunato Guarino, cyber-crime and data protection advisor with Guidance Software.

Dr Graham Shaw, senior R&D analyst at Nettitude concludes that “so far as the security industry is concerned it is unlikely that a silver bullet will ever be available, and especially not one that can be retrofitted onto systems that were not developed with security in mind.” What can be done is to encourage companies to engage with security specialists – whether external or internal – to ensure risks and mitigations are presented in a way that can be realistically balanced against other business drivers, in a manner that allows a sound business case to be constructed.