While conducting a penetration test of a major Canadian retailer, Rob VandenBrink bought something from the store. He later found his own credit card number buried in its systems, a major worry.
The retailer, which has hundreds of stores across Canada, otherwise had rock-solid security and was compliant with the security guidelines known as the Payment Card Industry's Data Security Standards (PCI-DSS), said VandenBrink, a consultant with the IT services company Metafore.
But a simple configuration error allowed him to gain remote access. From there, he found the retailer was vulnerable to the same problem that burned Target, Neiman Marcus, Michaels, UPS Store and others: card data stored in memory that is vulnerable to harvesting by malicious software.
The problem is growing worse. The U.S. Department of Homeland Security and Secret Service warned last month that upwards of 1,000 businesses may be infected by malware on their electronic cash registers, known in the industry as point-of-sale devices.
So why are the data thieves winning? Security analysts say point-of-sale malware is neither new nor particularly sophisticated. Programs such as Backoff, BlackPOS and JackPOS hunt down clear-text payment card details jammed in a jumble of data in a computer's memory, a process known as "RAM scraping."
Merchants who handle card data are required to be PCI-DSS compliant or face liability if cardholder data leaks. But the latest security specification, PCI-DSS version 3.0, doesn't mandate that merchants use technologies that encrypt card data from the moment a person's card is swiped, referred to as point-to-point encryption.
Using that kind of technology would eliminate the in-memory malware problem, security experts say.
The PCI Security Standards Council, which develops PCI-DSS, did recommend last Wednesday that merchants switch to using that kind of encryption technology.
But retailers often have long technology refresh cycles, so it could be five to seven years before most move to it. Fraud is expected to migrate from big retailers that resolve the weaknesses to smaller ones who have not, said Avivah Litan, a Gartner analyst who consults with banks and card companies.
"In general, I think we are stuck with these point of sale breaches for many years," Litan said.
Retailers are also missing keys signs in their network logs that they're under attack. Subsequently, most breaches are discovered by third parties, such as when fraud shows up on cards, said Bryan Sartin, managing director for Verizon's Risk Team, which investigates data breaches.
Many merchants are using "1990s technology to react to modern-era cyberattacks," Sartin said.
Merchants can be fined by card companies for breaches and are on the hook to pay for forensic investigations, which for PCI-related breaches can cost upwards of US$100,000, said Nick Economidis, an underwriter with the Beazley Group, which has seen its data breach insurance business boom.
Sign up for CIO Asia eNewsletters.