Point of steal
- 13 December, 2008 22:00
When thieves stole the PIN pads at a cash register in one of his company's stores, Daniel Marcotte was amazed. Not that they'd done it -- such thefts can happen once a week during the holiday season. But watching it on videotape later, "I couldn't tell they had it with them when they left" the store, says Marcotte, director of systems and data security at La Senza, a Montreal retailer now owned by The Limited. A couple of hours later, the thieves were back. They'd doctored the PIN pads to let them get customer card data. They got them back onto the point-of-sale system quickly, too. But here's where La Senza's security precautions kicked in: Its PIN pads in effect have their own Media Access Control address, and once they're disconnected, that address is no longer available. So the thieves were foiled--this time.
The point of sale has always been a target for thieves. While they once went after the cash drawer, retailers often find themselves facing sophisticated networks of thieves intent on the criminal equivalent of volume discounts--reams of credit card data, entire shelves of goods to launder or, in the case of pharmaceuticals like Sudafed, drugs used for making methamphetamines. Retailers, then, operate under the constant threat of having their point of sale either hacked by cyberthieves (the Dave & Buster's wireless hack being another recent high-profile example) or spoofed by real ones.
Between them, these various thieves target all the major aspects of a modern point-of-sale system:
- The cash register
- The bar-code scanner
- Wireless access
- The in-store voice or IP network
- The store inventory management system
Where once the big scourge was "till tappers"--people who grab the money and run--that's no longer a major headache for most retailers, says Keith Aubele, the former loss prevention executive at Wal-Mart and Home Depot, and now a loss-prevention consultant. Instead, they have to contend with sophisticated rings of thieves who've figured out that it's far more lucrative to systematically steal goods by spoofing the point-of-sale systems, especially self-checkout systems, which are "incredibly easy to bypass," says Aubele.
"You've got one supervisor for four to six registers, and you can easily distract that person and you take merchandise and scan some and hit the deactivator and walk out," he says.
A bigger problem still is under-ringing, or sweethearting, where crooked cashiers in cahoots with thieves simply don't scan all the items presented. Retail theft was almost US$35 billion, according to the 2007 National Retail Security Survey, and Aubele estimates that between $8 billion and $10 billion of it comes from under-ringing.
"Under-ringing is incredibly hard to detect, under any system," he says.
Small note of irony: The first mechanical cash register (patented in 1883) was nicknamed "
The major modern method for catching under-ringers is video analytics applied at the point of sale. Companies like IBM, Milestone and an Aubele client, Wren Solutions, all offer video analytics that aim to help store managers see when breaches have occurred.
But such analytics are a bit "pie in the sky," cautions Steve Hunt of Hunt Business Intelligence in Evanston, Ill. All the pieces work well, he says--"the cameras work fine, the recording system works fine, it integrates with the point-of-sale system perfectly by tagging every transaction, but the analytics aren't good enough. It's analytics 1.0." Aubele acknowledges that video analytics is "a work in progress," but says "it's light-years today ahead of where it was two years ago," and in two years will be light years ahead of today.
Meanwhile, there are new approaches being tried with traditional smash-and-grab techniques, like running off with a rack of leather jackets. Time Domain, a maker of real-time location systems, is putting radio frequency identification (RFID) tags into high-value items, and tracking them via ultra wideband (UWB) wireless technology. Time Domain's technology creates electronic article surveillance that ties into the cameras at the front of the store and will flag the unusual, like an entire rack of leather coats suddenly moving, and pan the cameras on the items--as long as the store uses pan-and-tilt video cameras. This technology is in pilot right now.
THE FLIP SIDE OF CAPTURING CUSTOMER DATA
Missing merchandise is a visible, countable problem for retailers. Stolen customer data is murkier. Compounding the issue is a fundamental problem: Point-of-sale technology wasn't designed to capture customer data, securely or otherwise. Most retail technology was developed to help companies track product information--what was sold, when and for how much. But retailers now use these technologies to capture customer data.
That means "at the place where data is captured, you have a rat's nest of different technologies cobbled together in a way that didn't pay any heed at all to the sensitivity of the data it captures," says Brian Kilcourse, managing partner of RSR Research.
Worse, retailers in the last decade shifted away from proprietary networking technologies like IBM's Token-Ring to Internet Protocol, which offers great flexibility but has inherent security issues. Retailers also tend not to encrypt data, and have been aggressive about adopting wireless technologies, which are harder to secure than wired ones.
It is perhaps a small wonder that the biggest known data theft to date occurred at a retailer, TJ Maxx, or that high-profile data attacks have happened at Hannaford's, Lowe's, Stop & Shop and other retailers.
In the last few years, a series of improvements in process and technologies have improved point-of-sale cybersecurity. Some of these improvements come thanks to the efforts of card issuers like American Express, MasterCard and Visa, which created the Payment Card Industry Data Security Standard, PCI for short.
-- Compensating controls to manage data flow into and out of the various point-of-sales technologies. PCI includes provisions for such controls for different sorts of retailers; encryption protocols for transmitting data between different parts of point-of-sale systems, such as the bar-code scanner and the credit card swiper--VeriFone's VeriShield is a popular example;
-- better data storage practices, like changing software commands to avoid storing certain types of data;
-- for data that is stored, using encryption systems;
-- wireless credit card readers like the Exadigm XD2000, which include built-in security and reduce potential credit card fraud by making sure the credit card never leaves its owner's hands.
WAITER, THERE'S A HACKER IN MY SOUP
But it's a gigantic challenge to get new technology out to the millions of points of sale, which range from the big box retailers to the fitness club to the restaurants to the corner gas station. Each kind of retailer presents its own problems.
Avivah Litan, a Gartner analyst, notes that gas stations have a PCI exemption until 2010, in part because credit card readers tend to be integrated into gas pumps, so upgrading the card reader means upgrading the pump, a very pricey proposition. In the meantime, pumps at the gas station feed to a server, which might feed to a regional server and then on to one at a headquarters operation, each a potential point of weakness.
Many retailers have flocked to wireless technology, which can create more flexible floor layouts and, for restaurants, can draw customers. But the white-hat hacker Simple Nomad says he was asked by a friend who managed a Bennigan's to check out whether a wireless hub in the restaurant allowed him to gain access to the point-of-sale terminal. He was able to do so. In another restaurant with a wireless hub, he found he could alter orders at the point of sale.
Wireless networks can become insecure even after a retailer thinks it's taken all the right steps to secure them, says Peter Evans, vice president of marketing at IBM Internet Security Systems. Evans says wireless access points are often set to default to insecure settings. So after a power outage or a reset, the security settings would default to off, and the retailers might not know for months that their information was vulnerable to hackers.
Evans says it's also simple to put a data skimmer on credit card swipe readers without anyone noticing. In fact, he says that recently, "I was a victim of one of these."
In his case, he says he was fortunate that his credit card provider's algorithms were able to detect fraudulent usage when his credit card data was used, and the thief was nabbed.
Meanwhile, the PCI Security Standards Council certifies software for use with point-of-sale systems. But Tom Wabiszczewicz, a security consultant at NeoHapsis, one of the six Qualified Incident Response Assessors (QIRA) under PCI's Cardholder Information Security Program (CISP), says issues persist. Over the course of the year, he's run into situations where companies have secure servers, but Windows-based, point-of-sale terminals sitting directly on the Internet are effectively wide-open to attack.
He's also seen companies that were storing Track 2 data unencrypted. Track 2 data can be used to recreate a credit card, and in one case he saw at a U.S. retailer, its Track 2 data was being sniffed and used to create fraudulent credit cards that were being used days later in Tokyo.
He says some problems are caused when companies upgrade to a PCI-compliant version of their software without getting rid of the old software, or with older, unencrypted data in databases. Wabiszczewicz says that "they're doing things correctly from that point on, but what about the leftover data from the database, or the previous version that didn't encrypt the credit card number or stored Track 2 data?"
Wabiszczewicz recommends that any such upgrade should include a complete reinstall of the entire system.
Despite these myriad issues, Wabiszczewicz says it is relatively straightforward to protect today's point-of-sale systems. "If you have a correct policy, you train employees, limit what they can do on the front end of the POS system and you're running PCI-compliant point-of-sale software, you are in very good shape," he says.
POINT OF SALE GRADE-A UPGRADES
For companies that are installing brand new point-of-sale systems, they have a much better chance of being secure from the get-go.
That's the course followed by Original Pizza Pan, in North Ridgeville, Ohio. A 25-year-old operation, it went through a franchise boom in the last few years, and now has about 100 locations. It had never used a formal point-of-sale system in its stores, and in 2007 decided that it was time to get one. A secure system was one of its priorities, though it was about fourth on its priority list, behind things like ease of ordering, better customer service and building databases of customers, says Edward Rizk, the firm's development director.
Rizk says that he picked a vendor, DiamondTouch, that develops systems specifically for pizza stores. But it was a big plus that it offered managed security services and also gave them the option to integrate a surveillance camera with the point-of-sale system. Such systems time-stamp the video every time the cash register drawer opens, allowing store owners to monitor whether money is staying where it belongs.
The systems don't use wireless at all; DiamondTouch encourages franchisees to change their passwords on a monthly basis and makes sure they're encrypting their data. The franchisees are not expected to send data on operations or customers back to the central office, Rizk says.
Even so, the system isn't ironclad. Original Pizza Pan wants its store owners to save their data on a separate computer as a backup. Rizk says, "I recommend to my franchises that they download their database to a computer that does not have Internet access." But whether they really listen to him, he doesn't know. "That's their business," he says.
Rizk is in the enviable position of being able to start from scratch. Most established retailers don't have that luxury, says RSR's Kilcourse. Worse, a large retailer probably has the ultimate distributed computing environment, which makes them a huge headache to upgrade.
"If you have 3,000 stores with 10 to 12 point-of-sale systems apiece, you have a management problem of very large proportion," Kilcourse says. "How do you safely upgrade so many systems? And if you're going to do it, how do you afford the cost?"
He says that it's almost financially impossible for a large retailer to go through a major replacement of point-of-sale systems. In fact, he says he's heard a retail CIO say his point-of-sale system was "old enough to drink."
The downturn means that retailers will likely hang on to technology even longer. The threat of fines for not complying with PCI is spurring companies to upgrade. But it's hard for retailers to cost-justify many types of technology upgrades.
For instance, chip-and-PIN technology for credit cards, prevalent in Europe, is more secure than using classic magnetic-stripe cards. TJX Vice Chairman Donald Campbell told The Boston Globe in late August that he'd like to see retailers, banks and card issuers pool their resources and upgrade all cards and readers to the chip-and-PIN system. The cost: about $2 per credit card and as much as $500 per reader, multiplied by 12 million readers. Campbell told the Globe that it would probably cost TJX $20 million to upgrade to chip-and-PIN readers. (TJX did not respond to a request for comment for this article.)
Economic downturns, cost obstacles and technology weaknesses aside, retailers will continue to battle the threats they face. And vendors will continue to try to make it easier to battle those threats. IBM, on October 1, announced its new SecureStore initiative, which aims to help store owners better manage their technology centrally. Evans says that part of IBM's motivation for the announcement is to address the scale problem that retailers face, when trying to upgrade and monitor systems spread out at literally thousands of stores, with perhaps tens of thousands of points of sale. The intent is that companies can use IBM server and management technology to do remote upgrades and monitoring of systems to identify situations such as an open wireless network, and then fix it.
"The current model of delivering security to customers is broken--the customer just wants security to go away," Evans says.
IBM's management effort is not the first, but Kilcourse says it was probably more holistic than others on the market.
La Senza's Marcotte is a likely adopter of SecureStore offerings. He's already using some of IBM's security software, and he's placed a purchase order for IBM's Tivoli management system to help centralize upgrades and monitor the company's roughly 1,000 point-of-sale systems across 350 stores.
Being able to monitor and do software upgrades remotely would be a plus, he says, especially since La Senza tends to upgrade its point-of-sale terminals roughly every three years, which he calls "heavy work" for the six people who work on point-of-sale security at the company.
"This centralized approach will be huge," says Marcotte.
Of course, centralized management creates a single target for hackers to attack. But in security, there are always trade-offs.