Application Security
12/22/2016
02:30 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

More Than 50% Of Biggest Holiday Retailers May Not Be PCI-Compliant

SecurityScorecard warns while the industry has made progress, many are still not covering the basics of security.

Retailers are having a solid 2016 holiday shopping season, and no major data breaches have been reported.

But not so fast: New research by SecurityScorecard indicates that retailers are not nearly out of the woods yet. Just because no serious breaches have been reported doesn’t mean that we all may not collectively wake up with a security hangover early next year.

A first-ever study of the 48 biggest holiday retailers from April 1 through Oct. 31, 2016, reports some unsettling data:

  • 100% of the biggest holiday retailers were found to have multiple issues with domain security.
  • Nearly 80% may not be using intrusion detection or prevention systems to monitor all traffic within the cardholder data environment.
  • All bottom-performing holiday retailers have a D or lower in Network Security, which suggests that their network may have an unaccounted access point ready to be exploited.
  • 62% of the biggest holiday retailers were using end-of-life products in the last month of the study.
  • 83% of the biggest holiday retailers had unpatched vulnerabilities in October 2016.

Sam Kassoumeh, co-founder and COO of SecurityScorecard, says patch management and replacing end-of-life products are the cornerstones of a sound security program and he’s very concerned that so many retailers are still not covering the basics.

“What happens is that companies do what they are mandated to do by PCI, for example, segmenting out credit card transaction data,” Kassoumeh explains. “But what I worry about as a consumer is if the hacker gets my billing address, purchasing transaction history or secret question, much of that information is used persistently on multiple sites.”

Kassoumeh says malicious threat actors can in turn use that PII data to sign on to another web site the victim is registered on and pretend they are that person, in effect taking over that account. Or, they can collect as much PII as possible and sell it on the dark Web or collect enough information to come back and blackmail the victim.

“The threat actors really have many options, we don’t ever really know how they are going to use the data,” he says.

SecurityScorecard runs a security ratings service that collects data available on the public Internet, identifies the specific organization the data belongs to, for example, companies where they find leaked credentials, exposed databases, or lack of firewalls, and then compare that company’s performance to the rest of the industry. They then assign a scored of A, B, C, D, or F.

Another disturbing finding from the report on the biggest holiday retailers was that the group spent more than three months during the study period with a C or lower rating in the following categories: network security, DNS health, IP reputation, and patching cadence.

Here’s a breakdown:

  • Network Security: 69% had multiple entry points for hackers.
  • DNS Health: 73% had misconfigured website domains.
  • IP Reputation: 43% were infected with malware.
  • Patching Cadence: 37% had unpatched vulnerabilities.

The SecurityScorecard report is available for download.

 

Related content:

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
12/31/2016 | 12:40:54 PM
Re: No security breach yet?
@Dr.T: Target found out pretty quickly (at least, they didn't take "a few years" to learn about their own security breach) when they were hacked.  I think major retailers are more on the ball these days -- at least when it comes to after-the-fact detection (if nothing else).
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
12/31/2016 | 12:39:17 PM
Re: compliance != secure
@Clarence: This is what I preach all the time in my own consulting, too.  Compliance, security, and data privacy are like slightly overlapping circles on a Venn diagram.  One does not equal the other; they are each merely components in the grander "data protection" scheme.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
12/31/2016 | 12:37:25 PM
Re: TJX -- have we not learned?
> Not paying with Bitcoin, Joe? :-)

The stores in my area don't take them.  ;)
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
12/31/2016 | 12:34:38 PM
Re: TJX -- have we not learned?
With or without regulation, security measures will happen if there is a notable direct benefit or detriment involved to the company or the customer.

When it comes to consumer IoT, however, the detriment to consumers of compromised devices is minimal if not outright nil because their devices will still fundamentally work.  (The fridge will still be a fridge -- even while it acts as a botnet zombie to take down a web service.)
sussanbetcher
50%
50%
sussanbetcher,
User Rank: Apprentice
12/30/2016 | 4:35:37 AM
true
private louvre tour

That sounds very relevant. Thanks for sharing the news about retailers. Its true that, because no serious breaches have been reported it doesn't mean that we all may not collectively wake up with a security hangover.
Dr.T
0%
100%
Dr.T,
User Rank: Ninja
12/26/2016 | 8:34:37 PM
PCI
Better to outsource this responsibility to a third-party, very expensive to secure and insure. 
Dr.T
0%
100%
Dr.T,
User Rank: Ninja
12/26/2016 | 8:33:34 PM
Re: compliance != secure
"When you use your credit card you are simply a wildebeest on the plains."

It makes sense but you can secure it, as Apple Pay does not share any personal info with the merchant it may be better than a credit card processing.
Dr.T
0%
100%
Dr.T,
User Rank: Ninja
12/26/2016 | 8:31:20 PM
Re: TJX -- have we not learned?
"Sometimes it feels like we have to have more than regulatory and legal shackles to force security to happen."

That is an important point, security is expensive, without regulation it is not happening, especially in IoT.
Dr.T
0%
100%
Dr.T,
User Rank: Ninja
12/26/2016 | 8:29:59 PM
Re: scalp psoriasis
I agree, quite informative article and covers very important subject.
Dr.T
0%
100%
Dr.T,
User Rank: Ninja
12/26/2016 | 8:29:01 PM
Re: compliance != secure
"Good enough to pass the audit is good enough."

This is actually a good point. For me passing audit should be resulting into a good level of security measures in the environment.   
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
Secure Application Development - New Best Practices
Secure Application Development - New Best Practices
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.