Last updated: 16 May 2016
This post originally appeared on SafeNet’s The Art of Data Protection blog prior to SafeNet being acquired by Gemalto.
Cindy considered herself the definition of a fashionista, and knew where to find all the deals on the latest fashions. She lived to shop and shopped to live. Luckily for Cindy, she had great credit and could leverage her numerous cards to save when shopping. She knew about the increasing number of credit card breaches, none had impacted her so far, and she began ignoring the headlines for the most part.
Right before the upcoming wedding season, Cindy went out to get new dresses, shoes, and accessories for the weekends ahead. While she did notice the navy heels and matching bag at Lydia’s Boutique, she didn’t think twice about the new, wireless point-of-sale (POS) system and card reader where she was swiping her platinum credit card.
The state-of-the-art POS system communicated with Lydia’s CRM and inventory management systems. Unfortunately, by disguising malware as an update, hackers were able to tap into the small retail chain’s new system and start skimming the transaction details in order to eventually sell customers’ credit card information on the black market – including Cindy’s.
A few weeks later, Cindy logged in to pay her credit card bill which she anticipated being $1,400 and included her trip to Lydia’s. Imagine her surprise when she saw her account balance of … $9,320!
She sat staring at the number and skimming the purchases outlined – the bulk of which she didn’t recognize. There was a Dispute a Charge link on the page, but she felt like she needed to speak to someone to get answers. She flipped over the card, and frantically dialed the customer service number.
While on hold and waiting to speak to someone, she suddenly remembered that she had received a lot of emails recently, and thought one had said something about “payments” in the subject line. She’d thought it was a regular e-statement when she’d seen the notification on her phone pop up, but maybe…. There, about midway down in her inbox, was an unread email from Lydia’s Boutique with a subject line reading “Notice to Our Customers Regarding Payment Data.”
Her heart sank.
Luckily for Cindy, the credit card companies have good fraud insurance plans to cover the purchases in the case of theft, but it likely wouldn’t help her anxiety levels as she worried about 1) whether the balance would be covered, 2) if the perpetrator would be caught, 3) how she would be able to make purchases while the fraud activity was investigated, and 4) how to ensure this wouldn’t happen again.
Security compliance mandates, like PCI DSS, have come a long way in recent years to ensure credit card data is protected; however, there are still vulnerability gaps in the retail ecosystem where hackers have been able to capitalize. As retail stores begin to use more devices and sensors to collect customer data in order to improve efficiency and customize shopping experiences, hackers are presented with new opportunities to capture credit card information and activity.
To address this, the retail industry is now moving towards more advanced infrastructure security with encryption technologies such as Point-to-Point encryption, code signing of software applications and devices, as well as adopting encryption to protect consumer information from the point of entry in order to eliminate these security gaps.
Find out more on the retail vulnerability points and what solutions are available to retailers at retail-payment-ecosystem.com.
The IoT Nightmares don’t end here!
Check out the previous entries in the IoT Nightmares blog series: