Retail Data Breach Victim Rolls Back The Tech Clock
Written by Evan SchumanOne of the longstanding problems with retail security is that the best advice for retailers comes from the experts in the field. And those people often work for the vendors that sell security products and services. Retail, therefore, has developed a culture of handling security problems by purchasing more security products to layer on top of what they already have in place.
But one retail data breach victim this month took the opposite approach. The Colorado liquor store had its payment records stolen via the Internet. The breach impacted dozens of banks and an untold number of consumers (police were quoted in one local newspaper as saying the breach impacted “thousands” of customers). Once its breach was discovered on October 5, the Cheers Liquor Mart (which bills itself as the largest liquor store in southern Colorado) went back in technological time. It completely cut off its card processing system from its POS and brought out from storage its old dial-up mechanism for connecting to the processor. The delay customers experienced was not noticeable, and the security—when compared with the breached modern system—was ironclad.
One critical difference between what happened at the one-location Cheers Liquor Mart and most major retail chains: The security team Cheers works with—Cyopsis—doesn’t sell security products, so there is—theoretically—no incentive for the forensics firm to treat a breach as a sales opportunity.
“The last thing you want (a retailer) to do after a breach is race in with new technology,” which will likely have the immediate effect of slowing down productivity, said Chris Roberts, the Cyopsis managing director for electronic intelligence and principal investigation. “We just chose to take out that piece of technology and ‘Welcome back to the good old days.'”
He said the merchant was more comfortable with a safer approach that allowed purchases to continue without disruption. “It’s not just throwing technology at the problem. It’s doing it a little more intelligently.”
Roberts said it’s unclear when Cheers’ payment data was first accessed, but he added that it had been “at least from September” and that it seems to be solely a network attack. There is no evidence of physical POS or card-swipe tampering, he said. “Early October was the first time they were alerted” by the card brands that Cheers was the common point of purchase tying together a lot of bogus credit and debit card charges.
The merchant had no wireless component to its network and was using some level of encryption, he saidRoberts added that the store’s PCI status was unclear.
“A key part of our cautionary measures was to remove any possible entry points,” so that transactions were forced to “bypass the PC and the [store’s] server.”
Although this return to a safer bygone era is nice, even the Cyopsis team said the covered wagon journey would likely be temporary. The advantages of a connected system are still compelling, but only after the investigation is complete, so that an appropriate fix to the security problem can be identified and implemented.
It’s also likely that even a temporary yesteryear move wouldn’t have worked with a much larger retailer. Coordination among stores (and CRM issues, let alone integration with E-Commerce and M-Commerce operations) would make it impractical.
-Marc
October 22nd, 2009 at 2:32 am
I swear I’d do my best to initiate the comeback of the Carrier Pigeon if I knew it would do any better for network security :-)
October 22nd, 2009 at 12:00 pm
I question whether rolling back to dial up terminals is really more secure? Yes, it is a quick fix that will most likely close the current breach vector but it does bring back it own set of risks. I’m not aware of any dial up terminal that supports encrypting the data as it is sent to the modem. I’m also not aware of any processor “dial up” spec that supports encryption. While the card brands and PCI have added loopholes for unencrypted dial up traffic, there is a big grey area if the merchant uses a VoIP phone solution – in which case you might be introducing unencrypted traffic on a public network.
October 26th, 2009 at 2:28 pm
Merchant payment technologies have become very sophisticated and allow various networks or products to link seamlessly so that users can benefit from straight-through processing. But integration of various products and networks poses a unique problem: are these linkages done right and are there vulnerable points that are outside the security mechanisms of each component. PCI represents one attempt to standardize security procedures for payments but standardization cannot catch all weak points. Thus somethings rolling back in time can help merchants avoid what Cheers Liquor Mart experienced. A better solution would be to have IT security technician on staff and mandate annual security audits to look for ways to troubleshoot or improve the end to end security of an integrated system. Or said in other words: using a typewriter to avoid computer viruses on your word processing equipment is not a long term solution in the century of automation …
November 2nd, 2009 at 8:46 am
Excellent article. The Retail IT Community (my community) got ahead of itself and new safer solutions are needed. My community did a better job when we designed wholesale banking and brokerage electronic funds transfer systems (EFTS).
Michael Cherry
Cherry Biometrics Inc.