Many of us have embraced the “shopping online is not safe” mentality, or at least held that mindset for a time but today, shopping locally has become (arguably) more dangerous than shopping online. When comparing current security issues, one might have a hard time choosing between risking shopping over a potentially unsafe server connection to that of a local retail store shopping experience. A publication submitted during the 2015 RSA Security Conference by Henderson & Byrne outlines how Point-of-Sale (POS) devices are being compromised to exploit local retailers. While the exact vendor name isn’t quoted, the article speaks to the fact that a “major” vendor has been using the same default password since 1990, with the username and password having been publicly documented since 1994. Two words: charge cautiously. At a minimum, keep your guard up when charging goods at the local store instance. The Cyber store instance (for most major online businesses) may be more secure. For example, in the last two years, I have had a four credit card reissuances. Do I shop online? Yes, I do. Did the card get compromised via online sources? No. Target, Home Depot, and other local stores all partook in the effort to help me keep my credit card numbers “fresh.” While in Europe last year on vacation (a.k.a. “holiday”), I chalked up at least one other compromised card number from local retailers. The paradigm shift I’m having trouble with is that shopping locally didn’t used to introduce any risk into your life, then everything started to become digitalized. I would like to say we digitalized everything to make order inventory more dynamic, furnish sales trending in real-time and to increase security. After all, 30 years ago, someone could have stolen the hard copies of credit card receipts gathered from manual credit card imprinting of the physical credit card from a single register. This would have been fairly obvious to spot during working hours (picture someone running out of Target or Walmart with a stack of money and credit cards), and if the same items were stored in a safe, more difficult after hours. If we digitalize this, the local hard copies of receipts could be removed from local access (only the cash could be stolen). I can’t see too many crooks running with server racks out of the local retailer, although these physical devices do get stolen – so do safes. But security wasn’t the primary driving force in digitizing credit card and sales (sales data has its own value) data. In hindsight, I believe we digitalized everything because we could. It became in vogue. The company was looked down upon if it wasn’t digitally integrated, never mind if your deployment was completely insecure.
Like many things in life, it’s not the tool you choose, but how you use it. Fast forward 30 years from the time of needing to pass a fitness test just to run the manual credit card imprinter, to today’s current state of security. Now, you need a paperclip and some very limited skills to deploy a tool that can scan every credit card number from every register, for months. From there, the data can be automatically forwarded to an anonymized internet site for later sale to the highest bidder. Maybe technology isn’t so grand after all… Do we need to provide security training and certification in the same manner firearm training has been made mandatory in many states? While the consequences are not as dire compared to the latter instance, the outcome of deploying technology in an unsecure manner has financial repercussions that can really suck. Does anyone like having to change their credit card number all over the place every time it’s compromised? If they do, there’s probably a twelve-step group for that. More to the point, the Target data breach alone is reported by Lunden (2015) to have $162 million dollars. Sadly, having a smartphone doesn’t make one smart. I don’t care how fast you can text or tweet, you drop your phone in the toilet and you’ll feel as just as dumb as I did learning what a “moisture indicator” is, and how it isn’t covered under the phone’s warranty. In the same manner, having a next generation firewall deployed doesn’t do much good if it is misconfigured. While these examples are more individualized in nature, as a society, we really need to get rid of a couple of antiquated concepts: default passwords, and vendor remote access. Have the O.S. require a strong password as soon as it’s powered on; don’t leave a default password or a “support” backdoor programmed in by default. Crackers really don’t need any help from us to find ways to compromise systems and devices. They get enough opportunities from software vulnerabilities alone to cover just about every device on the planet. According to Verizon (2015 Verizon DBIR), POS breaches are now the number one offender amongst confirmed data breaches. The good news is that this is probably because people and corporations are making online cracking more difficult. The bad news is that changing your thinking towards the local retailer might be harder to overcome than you think. At this point, I can only guess at how long the POS device will remain a threat to society. Five years? Ten? It remains to be seen – shop carefully, in the meantime.
