Welcome!

Security Authors: Elizabeth White, Greg Akers, Liz McMillan, Richard Moulds, Michelle Drolet

Related Topics: Security

Security: Blog Feed Post

Bricks (Thru the Window) and Mortar (Rounds)

…or I’ve been Breached.

…or I’ve been Breached.

There was a time when people differentiated between stealing from a physical store and pilfering data from a network.  Throughout the years there have been articles talking about the safety/risks of shopping online vs. shopping at a retail outlet.  You could either get carjacked in the parking lot and have your wallet stolen on Black Friday or your browser hijacked and your digital identity stolen on Cyber Monday.  There are probably many people who exclusively shop one way or another due to their own risk assessment of each…ignoring whatever convenience, interaction, price, constraints, gratification, availability or any other perceived beneficial metric on the Franklin T-scale tied to the specific activity.

Now we’ve learned that the recent Target breach was due to malware being installed on the point of sale devices.  Wait, what?  A ‘cyber’ crime within a retail bricks environment?  Isn’t anything sacred?  Well no, and this is really not anything new.  ATMs and point of sale devices have been targets for a while due to the simple fact that they run on an operating system.  A potentially vulnerable operating system.  In 2012, thieves broke into Barnes and Noble’s keypads and grabbed a bunch of credit cards.  Subway also had it’s PoS devices infiltrated.  There will be more.

Online shopping has risen 300% since 2004 and continues to grow.  comScore reports that desktop sales on Black Friday grew 21% ($1.1 Billion) and Cyber Monday grew 18% ($1.7 billion).  Yet, with all the mouse orders we accomplish on any given day, according to the Dept. of Commerce, it still only amounts to 6% of all U.S. retail sales.  You’d think that it would be much higher but major purchases, like automobiles for instance, are still (mostly) purchased in person.  The shift, however, will certainly grow as more people rely on mobile as a primary purchase sidekick and… as always, the bad guys are going to focus on where they can get their take.  In this interesting TED talk, security expert Mikko Hypponen says that we are more likely to be a victim of an online crime than a real world stick up.

That includes an increase of blended attacks.

We’ve seen it a thousand times – plant something on the inside and siphon from the outside; launch a network based attack as a diversion to go after the app data; do a little social engineering surveillance to become one of them; and of course the classic, knock out the guards, put on their outfits and walk in while nobody notices.

There is still much to uncover about this latest breach but I can’t help feeling that more retailers, as has been reported, will be screaming, ‘This PoS device is a PoS!

Nice how I worked that in huh?

ps

Related:

 

Read the original blog entry...

More Stories By Peter Silva

Peter Silva covers security for F5’s Technical Marketing Team. After working in Professional Theatre for 10 years, Peter decided to change careers. Starting out with a small VAR selling Netopia routers and the Instant Internet box, he soon became one of the first six Internet Specialists for AT&T managing customers on the original ATT WorldNet network.

Now having his Telco background he moved to Verio to focus on access, IP security along with web hosting. After losing a deal to Exodus Communications (now Savvis) for technical reasons, the customer still wanted Peter as their local SE contact so Exodus made him an offer he couldn’t refuse. As only the third person hired in the Midwest, he helped Exodus grow from an executive suite to two enormous datacenters in the Chicago land area working with such customers as Ticketmaster, Rolling Stone, uBid, Orbitz, Best Buy and others.

Bringing the slightly theatrical and fairly technical together, he covers training, writing, speaking, along with overall product evangelism for F5’s security line. He's also produced over 200 F5 videos and recorded over 50 audio whitepapers. Prior to joining F5, he was the Business Development Manager with Pacific Wireless Communications. He’s also been in such plays as The Glass Menagerie, All’s Well That Ends Well, Cinderella and others. He earned his B.S. from Marquette University, and is a certified instructor in the Wisconsin System of Vocational, Technical & Adult Education.