Retail Data Breach Victim Rolls Back The Tech Clock

Written by Evan Schuman
October 21st, 2009

One of the longstanding problems with retail security is that the best advice for retailers comes from the experts in the field. And those people often work for the vendors that sell security products and services. Retail, therefore, has developed a culture of handling security problems by purchasing more security products to layer on top of what they already have in place.

But one retail data breach victim this month took the opposite approach. The Colorado liquor store had its payment records stolen via the Internet. The breach impacted dozens of banks and an untold number of consumers (police were quoted in one local newspaper as saying the breach impacted “thousands” of customers). Once its breach was discovered on October 5, the Cheers Liquor Mart (which bills itself as the largest liquor store in southern Colorado) went back in technological time. It completely cut off its card processing system from its POS and brought out from storage its old dial-up mechanism for connecting to the processor. The delay customers experienced was not noticeable, and the security—when compared with the breached modern system—was ironclad.

One critical difference between what happened at the one-location Cheers Liquor Mart and most major retail chains: The security team Cheers works with—Cyopsis—doesn’t sell security products, so there is—theoretically—no incentive for the forensics firm to treat a breach as a sales opportunity.

“The last thing you want (a retailer) to do after a breach is race in with new technology,” which will likely have the immediate effect of slowing down productivity, said Chris Roberts, the Cyopsis managing director for electronic intelligence and principal investigation. “We just chose to take out that piece of technology and ‘Welcome back to the good old days.'”

He said the merchant was more comfortable with a safer approach that allowed purchases to continue without disruption. “It’s not just throwing technology at the problem. It’s doing it a little more intelligently.”

Roberts said it’s unclear when Cheers’ payment data was first accessed, but he added that it had been “at least from September” and that it seems to be solely a network attack. There is no evidence of physical POS or card-swipe tampering, he said. “Early October was the first time they were alerted” by the card brands that Cheers was the common point of purchase tying together a lot of bogus credit and debit card charges.

The merchant had no wireless component to its network and was using some level of encryption, he saidRoberts added that the store’s PCI status was unclear.

“A key part of our cautionary measures was to remove any possible entry points,” so that transactions were forced to “bypass the PC and the [store’s] server.”

Although this return to a safer bygone era is nice, even the Cyopsis team said the covered wagon journey would likely be temporary. The advantages of a connected system are still compelling, but only after the investigation is complete, so that an appropriate fix to the security problem can be identified and implemented.

It’s also likely that even a temporary yesteryear move wouldn’t have worked with a much larger retailer. Coordination among stores (and CRM issues, let alone integration with E-Commerce and M-Commerce operations) would make it impractical.


4 Comments | Read Retail Data Breach Victim Rolls Back The Tech Clock

  1. Chris Says:

    I swear I’d do my best to initiate the comeback of the Carrier Pigeon if I knew it would do any better for network security :-)

  2. Steve Sommers Says:

    I question whether rolling back to dial up terminals is really more secure? Yes, it is a quick fix that will most likely close the current breach vector but it does bring back it own set of risks. I’m not aware of any dial up terminal that supports encrypting the data as it is sent to the modem. I’m also not aware of any processor “dial up” spec that supports encryption. While the card brands and PCI have added loopholes for unencrypted dial up traffic, there is a big grey area if the merchant uses a VoIP phone solution – in which case you might be introducing unencrypted traffic on a public network.

  3. Kiril Alexiev Says:

    Merchant payment technologies have become very sophisticated and allow various networks or products to link seamlessly so that users can benefit from straight-through processing. But integration of various products and networks poses a unique problem: are these linkages done right and are there vulnerable points that are outside the security mechanisms of each component. PCI represents one attempt to standardize security procedures for payments but standardization cannot catch all weak points. Thus somethings rolling back in time can help merchants avoid what Cheers Liquor Mart experienced. A better solution would be to have IT security technician on staff and mandate annual security audits to look for ways to troubleshoot or improve the end to end security of an integrated system. Or said in other words: using a typewriter to avoid computer viruses on your word processing equipment is not a long term solution in the century of automation …

  4. Michael Cherry Says:

    Excellent article. The Retail IT Community (my community) got ahead of itself and new safer solutions are needed. My community did a better job when we designed wholesale banking and brokerage electronic funds transfer systems (EFTS).

    Michael Cherry
    Cherry Biometrics Inc.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.