If there was any doubt that cybercriminals are going especially after easy money, the attack on the “Target” retailer is the best proof of it.
In the retail industry in the U.S. people are used to pay with credit cards and this is the perfect place to attack.
Nobody thought until now that if one pays for groceries, clothes or other utilities, you put all your economies in danger.
Retail is much easier to attack also because those behind the cashier station are not trained to detect and prevent cyberattacks in form of malware or devices that hardcopy the credentials with a device attached to the POS machine.
They might be instructed to press an alarm button if someone points a gun at them, but not if someone starts a cyberattack to steal financial data of credit cards.
Unfortunately, the retail industry has still a long way to go until they can protect their customers against this category of fraud.
Another issue to consider is the fact that exactly the employees of retail companies might install the malware or the hardcopy device in order to make some extra money, because they are usually not so well paid.
In the end, the retail companies have to invest in 3 directions if they want to prevent in the future such attacks:
– Educated employees to prevent and detect such attacks
- This is time consuming and very expensive because it has to be done continuously since the threat landscape evolves very fast.
- It is, however, the only secure way to prevent these attacks on the long term
– Invest in infrastructure in order to not easily allow anyone to start such an operation.
- Special computers with restricted access, secure POS devices that are tempering attacks, restricted access to the devices
– Invest in security software that prevents common and targeted malware (or devices) to take over the control of the computer connected to the POS
- Assuming that all the PCs that are used to process payments are x86 and running Windows, there is a very good chance that a standard security solution can provide a good level of protection against malware.
These actions require time and resources and that’s why I am not sure if the companies are now ready to do this investment just because only one company got hit (ok, got hit very bad).
The biggest problem the IT Security industry has is the fact that the companies continue to think, despite all cases presented in media,: “This is not going to happen exactly to us”.
And when they start thinking about, it is usually too late and they need to start with damage control.
© Copyright 2014 Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity
Check www.mustaca.com for the IT Consulting services I offer.
Visit www.itsecuritynews.info for latest security news in English
Besuchen Sie http://de.itsecuritynews.info für IT Sicherheits News auf Deutsch