advertisement

Top Stories


advertisement

Security / Fraud


Subway Hit By Ultimate Cyberthief Inside Job: A Double-Insider

March 19th, 2013
A federal indictment unsealed on Friday (March 15) involving a Subway cyberthief attack might be an example of the ultimate insider attack. The thefts were actually double-insider attacks, in that one of the accused was a former franchisee of Subway—an employee is the typical insider attack, but an owner also qualifies—and he then ran a POS company that sold systems to Subway franchisees. A vendor using a backdoor is the other common form of insider attack. Here, the government alleges, we have both.

The case against Shahin Abdollahi, a.k.a. Sean Holdt, is that he supposedly used the systems he sold to Subways around the country to fraudulently load value onto giftcards. The indictment then claims that Abdollahi either used the giftcards himself at Subways thousands of miles away or sold them as discounted cards on eBay (NASDAQ:EBAY) and Craigslist. For that added touch of chutzpah, the indictment alleges, Abdollahi and a co-conspirator "sometimes registered [the giftcards] online with Subway" and that was done "to keep track of the fraudulently loaded cards in case of loss or theft." After all that work, you certainly wouldn't want a card to be lost due to carelessness.Read more...


advertisement

With POS Paper Supplies Vanishing, E-Receipts May No Longer Be Optional

March 18th, 2013
Maybe digital receipts and coupons are something you need to start promoting—and fast. The second-largest supplier of POS receipt paper, Germany's Koehler, still plans to stop shipping paper to the U.S. in April, after a December ruling by the Commerce Department that will increase tariffs by more than 70 percent. That could translate into shortages and will almost certainly mean higher prices for thermal paper, which is used in most chains' POS printers.

U.S. and Chinese paper mills say they will eventually fill the shortfall from the U.S. exit of Koehler, which has been providing about 40 percent of POS paper. But in the meantime chain execs may be expecting IT to keep stores from running out of paper. Strange as it sounds, it is IT's problem—and the second-easiest option is digital receipts.Read more...


advertisement

Court: Retailers Not Bound To Online Promises. Their Shoppers Are

March 14th, 2013
A recent dismissal of a class-action lawsuit against the LinkedIn (NYSE:LNKD) social network raises the question of whether anyone is bound to keep the promises they make on their website at all. If taken at face value, pens Legal Columnist Mark Rasch, the court's dismissal means that companies are not bound to meet their own promised obligations but their customers are bound to comply with the Terms and Conditions of the website, whether they read them or not.

When LinkedIn premium customers Katie Szpyrka and Khalilah Wright learned that the website operator had been hacked, and that 6.5 million stolen LinkedIn passwords had been posted on the Internet (together with the user's e-mail address), they went to sue LinkedIn for failing to provide adequate security and appropriate encryption for these passwords. Because users frequently use the same passwords for multiple accounts, stealing their LinkedIn passwords and E-mail addresses might expose a host of other accounts to compromise. Read more...


advertisement

Chain Sues Visa For Breach Fines, May Actually Get Its Day In Court

March 13th, 2013
Apparel chain Genesco (NYSE:GCO) has sued Visa (NYSE:V)—yes, Visa, not the acquiring banks—over the card brand's $13 million in fines due to a 2010 breach. The 2,440-store retailer, which operates the Journeys, Lids and Johnston & Murphy stores, makes the usual arguments: Visa's fines are illegal, Visa broke its own rules, Genesco didn't violate any PCI DSS requirements. (Well, except PCI's First Commandment: Thou shalt not get breached.)

What's interesting here is why Genesco thinks it will get to take Visa to court: A month before Visa notified the acquirers of the assessment, Genesco signed a separate agreement with one of the acquirers, Wells Fargo (NYSE:WFC), in which the bank actually signed over its right to sue Visa to Genesco.Read more...


advertisement


Judge Rules That A Large Data Breach Is Not Proof Of Inadequate Security

March 12th, 2013
A federal judge ruled on March 5 that LinkedIn (NYSE: LNKD) is not obligated to compensate a pair of its customers who had sued following a LinkedIn data breach last year. Of particular interest to retailers is the customers' argument that the social networking site had promised to protect customer data "with industry standard protocols and technology." They then argued that the breach itself somehow proved such security was not delivered. The judge didn't buy it.

No security system is perfect, so the existence of a break-in—on its own—doesn't prove that security procedures were not followed nor that they were not appropriate. The case—heard in U.S. District Court for the Northern District of California in San Jose—raised several other arguments for customer seeking compensation for the breach, and the court shot them all down. To start the proceedings, the customers had to make a case for how they lost money as a result of the breach, given that it appears none of their personal information was ever used by the thieves.Read more...


You Know What Your Shoppers Did Last Summer

March 7th, 2013
If consumers make purchases both online and in brick-and-mortar store, you know a great deal. You have surveillance pictures of them in the store. You know what they purchased and what they looked at. You have browser information. If you subscribe to any of the dozens of data aggregation or marketing sites, you know whatever is shared. With "big data" you have aggregated this data, too. Now imagine if you had to tell each and every one of your customers exactly what you collected and what you did with that information. We mean everything.

That is already the law outside the United States and Canada, writes Legal Columnist Mark Rasch, and it may already be the law in those two holdout countries. It's a matter of interpretation.Read more...


Another Grocery POS Attack, Compromising Compromise

February 26th, 2013
Add Sprouts Farmers Market, a 151-store regional grocery chain that sells in eight U.S. states, to the list of chains learning that POS attacks are today's favorite cyberthief way to get card data. Sprouts confirmed on February 22 that it found spyware in the POS systems of 19 stores (13 in Arizona, six in Southern California), during a five-day sweep between January 25 and January 29. The statement included this wonderfully comforting line for Sprouts' shoppers: "After an investigation conducted by Sprouts along with FishNet Security, a nationally recognized data security firm, Sprouts is unable to confirm with certainty at this time whether any accounts were compromised."

That's a rather perplexing utterance. Given that the chain said data-capturing software was found in the POS systems of some 19 stores, it's pretty easy to declare the security of every card used in those machines during that timeframe was compromised. That's not to say that the thieves successfully captured that data in a usable form or that they have actually tried to use that data yet. But in terms of the data being compromised, that debate was pretty much over when the software was found.Read more...


Amex Experiment: Replace Cards Online With Passwords

February 22nd, 2013
American Express on Thursday (Feb. 21) took a page from both Apple iTunes and Amazon 1-Click, launching a program in India that allows online shoppers to use a password instead of having to type in card number, expiration date and security verification number. Beyond speed for shoppers, this approach takes all of that sensitive data out of the retailer's servers. The India rollout is the first test of this tactic worldwide.

The program, called ezeClick, was developed by the Amex India group and is being closely watched by Amex corporate. "We let each market develop what they need and what they think will work for them," said American Express Spokesperson Jim Tobin. "I assume it will start showing up in other markets."Read more...


Phone Tracking And The Law: Clear Sailing

February 21st, 2013
In the ongoing Nordstrom/Euclid cell phone tracking debate, it seems that Nordstrom (NYSE:JWN) failed to ask all three necessary questions when using any technology that might raise a privacy concern. These questions are, in no particular order: Is it legal? Is it profitable? And is it wise? Ask only two of these three questions, and you can be in deep trouble, pens Legal Columnist Mark Rasch.

The debate surrounds the Seattle-based retailer's use of a vendor called Euclid, which captures information from the Wi-Fi signals of both customers and passersby. Is it legal? There is no specific U.S. law on whether MAC addresses are "personal information" entitled to legal protection. Moreover, U.S. law regarding things like access to cell phone records and cell phone usage probably don't apply to the Wi-Fi portion of the device. So although it may constitute an unlawful "trap and trace" or "pen register" to capture a cell phone number or IMEI of a cell phone, these laws likely don't apply to capturing the MAC address of a Wi-Fi-enabled device. Put simply, your iPad or Wi-Fi-enabled iPod isn't a phone, nor is the non-phone portion of your iPhone, Blackberry, Android or Windows mobile device.Read more...


Burger King, Jeep Tweet-Hacks Show It’s Time For A Social Kill Switch

February 20th, 2013
The Twitter takedown of Burger King (NYSE:BKW) on Monday (Feb. 18), followed by an almost identical attack on Jeep's Twitter account the next day, underlines a basic problem with social media: It's almost never under a retailer's control. It's not just that interacting online with customers is inherently unpredictable. The key social media sites themselves—Twitter, Facebook (NASDAQ:FB) and others—are always under someone else's control, and a chain is just another user.

That means when a retailer's social media presence is under attack, the difference between being down for more than an hour (like Burger King) or just 10 minutes (like Jeep) can be a matter of setting up the equivalent of a kill switch—and that's going to take some work.Read more...


Abu Dhabi Addresses Go E-Commerce Friendly. Only 6 Billion More Addresses To Go

February 20th, 2013

Abu Dhabi is going to an E-Commerce-friendly street address system. The capital of the United Arab Emirates announced on Sunday (Feb. 17) that, over the next 30 months, every building will get a number and every street will get a unique name (in many cases a much shorter name, in part to satisfy the needs of online forms), along with a short postal code. Currently, streets may be known by multiple names. For example, 7th Street is also Zayed the First, but it’s commonly known as Electra. And although the street Abu Dhabians call “Bank Street” is lined with banks, it’s formally named Khalid bin Waleed Street. Even some new glass-and-steel hotels have addresses like “Between the Bridges.”

Although local couriers are currently able to navigate the city to make deliveries, U.S.-style addresses should simplify things for E-tailers using addresses or postal codes for things like payment-card verification. It’s also a useful reminder for E-tailers that online forms designed for U.S. addresses aren’t necessarily going to work well in the rest of the world. With its population of 2.4 million people and a per capita income just below that of the U.S., Abu Dhabi is hardly a little desert oasis. But having three names for every street may not be so bad—just ask anyone who has tried to find an address on Peachtree in Atlanta.…


Why PCI DSS Compliance Is Not Like The Flu

February 20th, 2013
PCI DSS compliance is not like the flu. You can't "catch" it from your service provider, even though that provider might be PCI compliant. Merchants must go beyond reading the marketing materials and taking a quick glance at the service provider's attestation of compliance (AOC). The path to PCI compliance starts with PCI-compliant service providers, but it then takes the extra step of performing effective due diligence.

This lesson has been reinforced at least three times in the past few weeks in separate PCI Security Standards Council (PCI SSC) guidance documents. One question is whether merchants—particularly small and midsize merchants—will ever hear this advice. As a QSA, PCI Columnist Walter Conway occasionally gets the impression that clients might not spend more time researching their next smartphone, laptop or sailboat than they do reviewing service provider contracts and service-level agreements (SLA). It is particularly important for merchants to realize the source of the advice. It comes not from the PCI SSC staff but from active PCI practitioners with first-hand experience. Read more...


An EAS Tag That Can Take A Nuking And Keep On Looking

February 20th, 2013

Shoppers do the darnedest things, such as taking home packaging with attached EAS labels and then throwing it into the microwave oven. We’re not just talking about reheatable soups but about things like hamburger meat, complete with the styrofoam and ultra-meltable shrinkwrap plastic. Although the molten plastic is poisonous and smells awful, the EAS tag can catch fire. (Note: Fire, plastic chemicals, styrofoam and plenty of radiation is a recipe for a new microwave—and possibly a new kitchen.)

“Typically, people are trying to defrost beef, chicken, etc., in the original package after it is frozen and it’s difficult to remove the plastic,” said George Cohen, a spokesperson for EAS vendor Checkpoint. Checkpoint on Tuesday (Feb. 19) rolled out what it says is a microwave-safe EAS label. That may sound like a great idea, but when you’re faced with an EAS tag or label that refuses to stay deactivated, the idea of frying it in the breakroom’s microwave oven was always a nice failsafe.…


PCI’s New Mobile Guidelines Acknowledge Huge Hurdles

February 15th, 2013
The PCI Council officially released its mobile payment guidelines Thursday (Feb. 14), a document that turned out to be anything other than a Valentine to retail IT execs who'd love to know the "all-clear" path to doing mobile payments and staying PCI compliant. Instead, it's more of a pragmatic acknowledgement of the various mobile hurdles that the council sees as currently insurmountable.

The recommendations, of course, also offer the generic list of best practices for mobile device security (such as strongly encouraging full-disk encryption), which is certainly a handy checklist for chains just starting to seriously explore mobile payments. One key point of the report is to acknowledge the very complex nature of mobile systems, which have far more players than traditional fixed POS systems. For example, the report speaks of the desirability of lab validation for mobile devices and why it's simply—and regrettably—not practical.Read more...


eBay’s Day In Court: No Soup For You

February 14th, 2013
Some retailers sell products. Some retailers sell services. But companies like eBay (NASDAQ:EBAY), Amazon (NASDAQ:AMZN) and Craigslist sell something more—a marketplace. They are not simply a "store" but the entire mall—the downtown retail zone. If you can't sell on eBay, Amazon or Craigslist, then, to a great extent, you can't sell online. So what happens if you are banned for life from one of these marketplaces? A recent California Appellate Court decision substantially impaired the rights of consumers to have access to these marketplaces when the merchant/marketplace owner determines that the consumer did not follow the rules, pens Legal Columnist Mark Rasch.

Linda Genesta was a long-time eBay seller. For 18 years, beginning in 1999, she sold what she described as "high-end, high-quality, imported authentic European and American antique and vintage textiles, fabrics, pillows and trims," Everything was fine until July 2008, when eBay allegedly removed Genesta's items from the marketplace, alleging "unspecified 'misrepresentations'" in violation of its Terms of Service. As a result, Genesta says, she is effectively "out of business."Read more...


Stealing The Keys: Bit9 Breach Means It’s Time To Throw Out Old Thinking About Security Products

February 13th, 2013
In another sign that investing in security isn't enough, three customers of security vendor Bit9 ended up with malware in their systems. This happened after a digital code-signing certificate was stolen from the vendor—and that, in turn, happened because Bit9 failed to use its own product on some of its systems.

Never mind the physician-heal-thyself aspect of this incident (which is a little tough for us because, well, Bit9 did do exactly what it tells its customers not to). More to the point, it's another sign that retailers need to stop trusting security and start thinking securely.Read more...


PCI Security Problems: The Practical Versus The Perfect

February 13th, 2013

Security rules are wonderful things, and nowhere are they more needed than in retail and payment-card data. But a common criticism of the organization handling such matters—the PCI Council—is that it delivers security edicts in a vacuum, with minimal regard to how different types of merchants function in the so-called real world. Such critics were given three golden examples this month. The examples, in the areas of cloud guidance, P2PE validations and Windows XP end of life, illustrate the types of collisions that are inevitable when committees seeking ideal security approaches run into chains with razor-thin margins (or losses), workforce reductions and store closings. Put more bluntly, it’s the age-old battle of the ideal versus the pragmatic.

This is explored in StorefrontBacktalk‘s February monthly column in Retail Week, the U.K.’s largest retail publication. The column lives here at Retail Week. For those who don’t have a Retail Week subscription—shame on you!—here’s a copy at StorefrontBacktalk. You can also check out all of our recent Retail Week columns here.…


Live Tweeting Mass Layoffs May Not Be The Best Strategy

February 13th, 2013

Everyone knows the standard advice when someone—especially someone who works in IT—is about to be fired or laid-off, all of their passwords and systems access are shut off right before they’re told. You never know how people are going to react. Perhaps it’s time to expand those HR termination rules to also cut-off access to all company social tools, including Facebook (NASDAQ:FB), Twitter, Google+ (NASDAQ:GOOG) and LinkedIn (NYSE:LNKD). That’s a rule 257-store British entertainment chain HMV probably wished it had.

In late December, the chain was in the process of telling employees about extensive layoffs when one of those employees—someone who had password access to the company’s Twitter feed—began sharing her thoughts, such as: “Sorry we’ve been quiet for a long time. Under contract, we’ve been unable to say a word or, more importantly, the truth.” Then this matter-of-fact tweet: “We’re tweeting live from HR where we’re all being fired. Exciting.” One of her last tweets before all tweets from the company went silent was this delightfully predictive one: “Just overheard our Marketing Director (he’s staying, folks) ask, ‘How do I shut down Twitter?'” The best ideas always seem to come just a little too late.…


PCI Cloud Guidance: Private Cloud Is The Preferred Way To Go

February 13th, 2013
The PCI Security Standards Council (PCI SSC) recently released PCI DSS Cloud Computing Guidelines, a document that has important information for any retailer or merchant looking to take advantage of the benefits from cloud computing. The guidance document begins with a simple statement: "It may be particularly challenging to validate PCI DSS compliance in a distributed, dynamic infrastructure such as a public or other shared cloud." Using the phrase "particularly challenging" communicates that a merchant's PCI compliance will be easier or harder depending on the chosen cloud deployment model, pens PCI Columnist Walter Conway.

One gem tells retailers they need to "obtain the details of the CPS's [cloud service provider's] compliance validation." This is the first official guidance that tells merchants to go beyond asking for the attestation of compliance (AOC). The guidance suggests merchants review "The Executive Summary and Scope of Work sections" of the CSP's report on compliance (ROC) and the "specific components, facilities, and services that were assessed." Securing a copy of the current AOC for the CSP is a good start, but it is not enough. Merchants need to know the scope of the CSP's assessment, which is not sufficiently detailed in the AOC. The SIG recognized this situation explicitly with its recommendation.Read more...


PCI’s New Cloud Guidance: Great Ideas, Short On Realism

February 11th, 2013
When the PCI Council rolled out its cloud computing guidelines on February 7, one element—dealing with introspection—has been heralded as sound practice while being slammed as unrealistic and impractical. The problem speaks to the very nature of clouds.

In private clouds, retailers can demand unlimited data about their environments; shared cloud providers, meanwhile, simply cannot reveal information about other cloud residents. That very well may mean shared cloud vendors will simply not be able to provide enough information for a retailer to become PCI compliant. Does the council then ban shared clouds—as some have expected—or impose requirements on retailers that they may be unable to fulfill? The guidelines—which are not edicts from the council (yet) but, indeed, are solely guidelines—fairly describe the various types of cloud offerings, from the private cloud to the various shared options: community cloud; public cloud; and hybrid cloud. Although acknowledging that retailers may have limited control of the environment and the information in a cloud model, the council still places demands on the information gathered for PCI compliance.Read more...


After Seven Months, Why Does The PCI Council Yet To Have Anyone P2PE Validated?

February 8th, 2013
For the past two years, the Payment Card Industry Security Standards Council (PCI SSC) has been taunting merchants with offers of a specialized (and simplified) Self-Assessment Questionnaire (SAQ) for those using "validated P2PE" approaches. At first, the council told merchants to wait while it drew up plans to validate the products. Then—finally—seven months ago, PCI SSC released its standards and told merchants to go right ahead and pick one of these validated options. There's only one problem: As of Thursday (Feb. 7), the council hadn't validated any.

That's right. Seven months after the standards were released and nearly two full years from its initial announcements on the matter, the PCI SSC has yet to validate a single P2PE vendor that can offer the promised scope reductions and a simplified SAQ to merchants. Why? Well, quite frankly, pens GuestView Columnist J. David Oder, because the council designed the wrong standard.Read more...


Privacy Issues Galore Crop Up In California Supreme Court E-Commerce Ruling

February 7th, 2013
On Monday (Feb. 4), the California Supreme Court revisited the question of whether online retailers are permitted to collect certain personal information when engaging in a credit-card transaction. A 1974 statute seems to say "no," but the California Supreme Court says "yes." Although the case is a victory for online retailers, the way the court came to its decision may open up consumers to much more use of personal information. In the end, that possibility may cause the State Legislature to clamp down on new forms of database misuse—for both online and offline retailers, pens Legal Columnist Mark Rasch.

In the 1970s, California passed the Song-Beverly Act. It prohibited merchants (there were no online merchants back then) from requiring, as a condition for accepting a credit card, consumers to provide certain personal information. The legislature was worried about merchants using the pretext of accepting a credit card to mandate that consumers pony up their names, addresses and other personal information.Read more...


California Opens CRM Goldmine For All E-Tailers

February 6th, 2013
The California Supreme Court on Monday (Feb. 4) ruled that online merchants have the right to ask for Zip code and other personal information about shoppers who buy electronically downloadable products, but physical retailers do not. Given the clout of the highest court from the country's largest state making such a ruling—which, in turn, makes it very likely that other states will follow—this decision could sharply change CRM and POS strategies.

Such changes are especially likely because the court did not impose any restrictions on how retailers can use this newly permitted data, despite the ruling saying that data is solely to give online shops a better chance of fighting fraud. The ruling allows address and other information to be demanded from shoppers even when the goods are physical, but only if the product is being shipped to a different location. The rationale is that when a physical product is being delivered, the retailer has an obvious need to ask for the address to which it will be sent. But for fraud purposes, the court's Monday ruling now allows the site to demand the address of the customer, in addition to the delivery address.Read more...


Windows XP End-of-Life Could Cripple PCI Compliance

February 6th, 2013
PCI DSS has two sunsets coming up. The first is the well-documented end of PA-DSS v1.2 this October. The second, and equally significant, sunset is Windows XP's end-of-life just a few months later, and this event may have an even more direct impact on retailers. The demise of Windows XP will challenge retailers with POS or other payment applications running in that environment. These retailers will fall into one of three scenarios. How they choose to address the situation will affect their PCI compliance and, more importantly, their security. There may even be a little fallout for the PCI Security Standards Council (PCI SSC) itself, pens PCI Columnist Walter Conway.

On April 8, 2014, about 14 short months from now, Windows XP will reach the end of its life as an operating system. That means that starting on April 9, 2014, Microsoft will no longer market, support or provide regular security patches for that operating system. Retailers with POS or other payment systems running on Windows XP after this date will, therefore, no longer be PCI compliant. Read more...


Survey Says Consumers Worry About Mobile Wallet Security. But Does That Matter?

February 4th, 2013

A ComScore survey released on Monday (Feb. 4) reminded us why we hate it when surveys don’t give us context. The topic was digital wallets, and among other not-very-surprising tidbits (48 percent of smartphone users surveyed have used PayPal, six times as many as runner-up Google Wallet) was something we’ve heard often enough: 47 percent say they’re concerned about “security/safety/theft/loss of phone” with digital wallets. To its credit, the ComScore report on the survey does point out that consumers don’t seem to understand the added security that digital wallets provide. (A real surprise: 29 percent say they have no mobile-wallet concerns.)

But we never see surveys that ask consumers “What concerns, if any, do you have about using a plastic credit or debit card to make purchases?” What percentage would say they’re worried about losing the card or having their wallet stolen? Without that, we don’t know if a question about mobile wallets means anything at all. If most consumers do fret about the risk of a stolen magstripe card but use it anyway, that’s clearly not what’s holding back mobile payments. Our theory: Consumers don’t actually care about security at all. Now will somebody please deliver numbers to prove us wrong?…


Newsletters

StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 17,000 retail IT leaders who subscribe to our free weekly email. Sign up today!
advertisement
StorefrontBacktalk
Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.