After finishing my most recent post about skimming devices placed on BP point-of-sale systems in the UK, I read an article in Computer World about what might be the latest large data breach.
Jaikumar Vijayan writes:
Several financial institutions last week canceled thousands of credit and debit cards in Michigan because of fraud concerns related to an apparent data compromise at a convenience store chain, highlighting the wide effect that retail security breaches can have.
Jaikumar's story, here.
Jaikumar's story states that Wesco, a retailer, is suspected as being the point-of-compromise. Of course, Wesco isn't admitting this and merely states that the matter is under investigation.
Office Max was the suspected point-of-compromise in another case last fall and to the best of my knowledge - they never admitted to being involved. Dollar Tree and Sam's Club have also recently been suspected as being points-of-compromise in breaches, where large amounts of credit/debit card information were compromised.
Why are hackers targeting retailers? The answer might be that large amounts of account information - including PINs (personal-identification-numbers) - are being maintained in databases, which are poorly protected and therefore easily compromised (hacked).
In his story, Jaikumar interviewed an expert from Gartner (Avivah Litan):
It also wasn’t clear how the data might have been breached. But four out of five data compromises involve security breaches at point-of-sale systems, said Avivah Litan, an analyst at Gartner Inc. The POS systems at convenience and grocery stores, as well as gas stations, can be especially vulnerable because of a lack of IT security awareness and resources, Litan said.
Much of the exposure results from merchants connecting their POS terminals to IP-based networks, Litan said. Often, such systems store magnetic stripe data from cards and have default passwords that can be easily hacked, she added.
The Payment Card Industry security standard explicitly prohibits the storing of magnetic stripe data on POS systems. But retailers continue to do so, and many POS applications store the data by default, Litan said.
The problem is that the retailers never admit to being breached, the banks give out limited information when asked about it, and it appears that there are too many companies not following the Payment Card Industry Data Security Standard.
Perhaps the problem is that Payment Card Industry Data Security Standard isn't being enforced and the consequences are lacking for those in violation of it. At a minumum, shouldn't these companies be prevented from doing electronic payments by the industry?
Even if a lot of the losses are being written-off, they are normally passed on to everyone in the form of increased fees, interest rates, or in the case of retailers - higher prices. Despite this, there are also people that are denied compensation, especially if they fail to be timely in filing a claim; or a PIN was used and they can't tie it into a known breach.
With the amount of data-breaches, it's often difficult to figure out where any particular person's information was stolen from.
If the Payment Card Industry can't clean up their own backyard, perhaps it's time for some government inquiries into why so much information is being compromised?
Even without government intervention, there is the matter of consumer confidence to be considered. Consumer confidence is what makes businesses thrive, and a lack of it can be a disaster for all of those involved.
I'm sure there are retailers protecting their information properly, and the ones who aren't give everyone a bad name.