Retail Data Breach Victim Rolls Back The Tech Clock

One of the longstanding problems with retail security is that the best advice for retailers comes from the experts in the field. And those people often work for the vendors that sell security products and services. Retail, therefore, has developed a culture of handling security problems by purchasing more security products to layer on top of what they already have in place.

But one retail data breach victim this month took the opposite approach. The Colorado liquor store had its payment records stolen via the Internet. The breach impacted dozens of banks and an untold number of consumers (police were quoted in one local newspaper as saying the breach impacted "thousands" of customers). Once its breach was discovered on October 5, the Cheers Liquor Mart (which bills itself as the largest liquor store in southern Colorado) went back in technological time. It completely cut off its card processing system from its POS and brought out from storage its old dial-up mechanism for connecting to the processor. The delay customers experienced was not noticeable, and the security—when compared with the breached modern system—was ironclad.

One critical difference between what happened at the one-location Cheers Liquor Mart and most major retail chains: The security team Cheers works with—Cyopsis—doesn't sell security products, so there is—theoretically—no incentive for the forensics firm to treat a breach as a sales opportunity.

"The last thing you want (a retailer) to do after a breach is race in with new technology," which will likely have the immediate effect of slowing down productivity, said Chris Roberts, the Cyopsis managing director for electronic intelligence and principal investigation. "We just chose to take out that piece of technology and 'Welcome back to the good old days.'"

He said the merchant was more comfortable with a safer approach that allowed purchases to continue without disruption. "It's not just throwing technology at the problem. It's doing it a little more intelligently."

Roberts said it's unclear when Cheers’ payment data was first accessed, but he added that it had been "at least from September" and that it seems to be solely a network attack. There is no evidence of physical POS or card-swipe tampering, he said. "Early October was the first time they were alerted" by the card brands that Cheers was the common point of purchase tying together a lot of bogus credit and debit card charges.

The merchant had no wireless component to its network and was using some level of encryption, he saidRoberts added that the store's PCI status was unclear.

"A key part of our cautionary measures was to remove any possible entry points," so that transactions were forced to "bypass the PC and the [store's] server."

Although this return to a safer bygone era is nice, even the Cyopsis team said the covered wagon journey would likely be temporary. The advantages of a connected system are still compelling, but only after the investigation is complete, so that an appropriate fix to the security problem can be identified and implemented.

It's also likely that even a temporary yesteryear move wouldn't have worked with a much larger retailer. Coordination among stores (and CRM issues, let alone integration with E-Commerce and M-Commerce operations) would make it impractical.Still, so much of IT these days reflexively responds to a problem by whipping out the purchase orders and trying to throw whatever technology—the more expensive, the more comforting—is available at the issue. Sometimes, it takes a smaller retailer to point out that that is not always the most cost-effective—or even the most "just plain effective"—route.

But let's be clear. Going back to a non-integrated approach certainly means losing a lot. From a security standpoint, it almost certainly means giving up encryption, so all card data—if accessed—is easy for anyone to read.

Then again, most professional cyber thieves are focused on tapping into such targeted data via the Internet or via physical assault on the card swipe or the POS. So it's unclear how likely it is that data would be accessed from an analog connection dialing into a card processor. A thief who wanted to access it most likely could, but it's so much easier—read cost-effective—to stick with Internet access. To make any real money with card data theft, millions—and sometimes tens of millions—of cards need to be accessed. That plain old analog telephone line makes it hard to profitably grab a lot of cards.

Also, the comments about vendor recommendations isn't intended to suggest that vendors are necessarily being deceitful or greedy. After decades of doing business this way, it’s simply ingrained—not unlike a surgeon who tends to see "cutting a patient open" as the best treatment for almost any malady. After all, it's what they're trained to do.

Rather, this cautionary tale suggests not taking the traditional approach if an easier, cheaper method might suffice. It also means thinking through the inherent (and sometimes subconscious) biases of the experts whose advice you seek.

That's why it's always made us nervous that PCI assessors can sell the products and services that make a chain PCI compliant. Even the most honest of assessors can't help but be a little bit influenced by that the revenue from selling their own offerings, especially in a down economy when every dollar means a few more days of not being laid off. Given the latitude that assessors have, can they truly divorce their bonus from what the retailer truly needs to be PCI compliant?

One of the points Cyopsis' Roberts made was that IT managers—after a breach—should trace everything back to find the root cause of the breach. "They need to train their people to code more securely," he said.

Maybe IT directors should sit back and not only consider the source code, though. In light of the advice they're getting and who they're getting it from, maybe they should think beyond the source code and to also, if you will, consider the source.