Eddie Bauer said it has detected and removed malicious software from point-of-sale systems at all of its 350+ stores in North America, and that credit and debit cards used at those stores during the first six months of January may have been compromised in the breach. The company said Thursday that it had arranged for all customers who made purchases and returns during this period to get free identity protection services from Kroll for the next year.
This type of attacks generally happens via an attack of an internal computer systems, to which its point-of-sale terminals are connected, and thereby infecting the devices with malware that steals card details and sends them back to the criminals. Following some advice from security experts on tacks to take to help prevent such an attack.
Travis Smith, Senior Security Research Engineer at Tripwire says, “Point of sale malware continues to be an attractive target for cyber criminals. The best advice for retailers is to place any point of sale machine on a segregated network from any other machines with locked down internet access. These machines typically have a handful of internet locations required to process credit card data, if they require any at all. Locking down this communication will reduce the likelihood that malware will be able to successfully ex-filtrate private information to the attacker.”
Travis explains, “Locking down point of sale networks can be easier said than done. For retail establishments which have one or two point of sale terminals in each store, it didn’t make sense three or four years ago to implement a second costly network segment for one or two devices. Migrating to a segregated network may require hundreds of thousands of dollars in equipment and network redesigns, something retailers may not have an appetite for in today’s competitive marketplace.”
George Rice, senior director, payments at HPE Security – Data Security, says:
“Retail malware is typically designed to steal clear data in memory from Point of Sale (POS) applications, resulting in the loss of magstripe data, EMV card data or other sensitive data exposed at the point of sale. And unfortunately, POS systems are often the weak link in the chain — they should be considered insecure even after implementing EMV. A POS terminal in constant use is usually less frequently patched and updated, and is thus vulnerable to all manner of malware compromising the system to gain access to cardholder data.
Any businesses using POS systems can avoid the impact of these types of advanced attacks. Proven methods, such as Format-Preserving Encryption are available to neutralize data from breaches either at the card reader, at the point of sale, in person or online. Leading retailers and payment processors have adopted these data-centric security techniques with huge positive benefits: reduced exposure of live data from the reach of advanced malware during an attack, and reduced impact of increasingly aggressive PCI DSS 3.2 compliance enforcement laws, laws aimed at making data security a ‘business as usual’ matter for any organization handling card payment data.
The good news is that savvy merchants are implementing Format-Preserving Encryption, giving the malware nothing to steal, which also has a dramatic cost reducing benefit to PCI compliance. Encrypting the data in the card reading terminal ahead of the POS eliminates the exposure of live information in vulnerable POS systems. The attackers get only useless encrypted data.”
RELATED: Eddie Bauer Unveils Customization Platform
