Application Security // Database Security
8/27/2014
06:20 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Backoff, Dairy Queen, UPS & Retail's Growing PoS Security Problem

Retail brands are trying to pass the buck for data security to banks and franchisees, say some experts.

Retail security is under the microscope this week, thanks to data breaches at United Parcel Service franchises (and possibly Dairy Queen franchises), government warnings about the Backoff point-of-sale malware, and new research that shows persistent vulnerabilities in retail applications.

Retail's data security problem is attributed to (among other things) lack of investment in secure application development, disputes with the financial services industry over who's to blame, disputes between brands and franchise stores, and lack of oversight by those who develop and deploy retail applications.

The National Retail Federation advocates better data security for retailers, but it puts most of the blame on the financial services industry. In "Four Big Lies About Data Security," the NRF points out that banks continue to use outdated magnetic strip technology and require retailers to retain too much data.

Today, US-CERT again updated its advisory about Backoff, the point-of-sale malware responsible for the breaches at UPS franchise stores. The Secret Service estimates that 1,000 businesses have been affected by Backoff, and seven PoS providers/vendors confirmed that their clients have been affected.

There are also rumors that Dairy Queen has been breached, as reported by Brian Krebs of KrebsOnSecurity. He said he had not been able to find evidence of such an event, but he has since been contacted by a credit union's fraud detection department that had been receiving reports of fraud deriving from cards recently used at Dairy Queen locations in multiple states. A representative of the brand did not confirm such an incident. According to Krebs:

Dairy Queen says it has no indication of a card breach at any of its thousands of locations, but the company also acknowledges that nearly all stores are franchises and that there is no established company process or requirement that franchisees communicate security issues or card breaches to Dairy Queen headquarters.

This is reminicscent of the recent breach at UPS, which said in a press release, "Each franchised center location is individually owned and runs independent private networks that are not connected to other franchised center locations."

Independent networks could arguably contain the problem, and the blame could be laid on individual stores, not the brand itself. Yet that might not matter to customers.

"The franchisor's brand could be destroyed easily without better controls in place for franchisees," says Mike Davis, CTO of CounterTack. "The fact that franchisees are not required to tell the franchisor about security breaches illustrates how breach notification processes are weak not just in retail but in most industries... Franchisors should start requiring security controls of their franchisees above those required by PCI and third parties the franchisee may work with."

Courts might not distinguish between brands and their franchise stores, either. Trey Ford, global security strategist at Rapid 7, says the Federal Trade Commission won't let the brand pass the buck so easily.

"Although reports have indicated that DQ-branded franchises may not be required to report breaches to Dairy Queen headquarters," says Ford. "This still may create liability for Dairy Queen. The FTC filed a complaint in a similar situation with Wyndham. The consumer relationship is with the brand, not the franchise."

The FTC filed the complaint against the Wyndham Worldwide Corporation hotel chain -- which had 90 independently owned hotels licensed under the Wyndham name -- in June 2012 after three data breaches. The FTC alleged "that Wyndham's privacy policy misrepresented the security measures that the company and its subsidiaries took to protect consumers' personal information, and that its failure to safeguard personal information caused substantial consumer injury."

There are reasons for brands to care about their franchise stores' security, and they may also be in a better position to manage or lead security efforts.

"Franchise owners and operators will have a harder time [than brands] locating malicious software," says Ford. Those franchise stores "equipped to detect, contain, and eradicate miscreants from their systems are the exception, not the rule.... If your business is contacted as a 'common point of purchase' for credit card fraud, that is generally a high confidence indication you have a problem."

Yet with retailers blaming financial services, blaming franchisees, and blaming third-party service providers (and vice versa and vice versa and vice versa), there is perhaps an overriding problem of nobody taking enough responsibility for data security.

That also extends to the developers of retail and PoS software -- both custom-built and off-the-shelf.

According to research released today by CAST Software (registration required), 70% of retail applications are still vulnerable to data input validation attacks like SQL injection (yes, still) and Heartbleed compromises. Retail fared worse than any other industry. Financial services (69%) was a very close second. This is particularly concerning, since input validation attacks were used in 80% of the application attacks in retail, including the one at eBay, according to Verizon's latest Data Breach Investigations Report.

When explaining the problem, CAST executive vice president Lev Lesokhin repeated the Code of Hammurabi passage that Dan Geer referenced in his keynote at Black Hat USA. The code, written 3,700 years ago, stated, "If a builder builds a house for someone, and does not construct it properly, and the house which he built falls in and kills its owner, then the builder shall be put to death."

"Ownership of construction and the oversight of construction are still very poor," says Lesokhin. "It is a management issue within IT."

CAST works mainly with enterprise IT departments writing custom software, but Lesokhin expects that this is also a problem in bigger application development houses, which suffer from a certain "hubris" that could perpetuate the problem.

He says he hasn't seen secure coding frameworks catch on much, but "basic hygiene" would solve many of the issues found in these applications. Further, they found that, even though there is certainly a difference between software quality and software security, there is a strong correlation between the two. Cleaner code tends to lead to more secure code.

Why are the software vulnerabilities worse in retail and financial services? The pressure to get applications to market quickly is especially difficult in financial services, Lesokhin says, but in retail, companies may tend to spend less on software development oversight.

Will this improve? Lesokhin wonders whether the perpetual announcement of breaches and software holes has brought companies to the conclusion that it will never get better, and perhaps it isn't even worth trying to make it better. "I think the question is to what extent is it becoming a learned helplessness?"

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Some Guy
50%
50%
Some Guy,
User Rank: Moderator
9/3/2014 | 3:33:25 PM
Re: Brand reputation
Not so fast. If the POS and IT system is supplied by the Fanchisor, I'd agree. If not, it really is the Franchisee's responsibility. I think that it's wrong to hold the Franchisors accountable *ex post facto* when, up to now, the Franchisors haven't even been provided an opportunity to address this new risk to their reputation. (Clearly fair to hold them accountable for failing to anticipate this risk.)

It's a fine line, but a well understood distinction, especially in a legal liability sense. As with many things legal, check your intuition and sensibilities at the courthouse door.

That being said, I agree that it has definitely emerged to be in the best interest of the Fanchisor to, at the very least, specify security requirements (and probably enshrine it in the franchise agreement). The Franchisors could just as easily revoke the offending Franchisees to protect their reputation. In the vein of "every problem is an opportunity," the smart play would be for a Franchisor to impose security across the Franchise and provide value add to the Franchisees, as well as turn this into a feature of the Franchise -- great service and secure purchases now at *all* UPS Stores.

 
Krishnaprasad Prabhakaran CFE
50%
50%
Krishnaprasad Prabhakaran CFE,
User Rank: Apprentice
9/3/2014 | 11:30:47 AM
Re: Brand reputation
 

I agree with you,let me explain you the reason for my earlier question.

Backoff is a malware which is known as RAM scrapper.This malware is a type of BotNet.A BotNet can be spreaded through IRC(Internet Relay Chat) ,social engineering or hackers are able to guess a poorly constructed password and install malware like Backoff.

According to US-CERT's, where the attackers were able to guess the password to the system,and  installed the Backoff program. The malware disguises itself as an innocent Java component but 'listens' for credit card transactions, storing them and transmitting them to criminals. The department says the malware was released last October 2013, but was undetectable to current anti-malware software.

Hence,I have raised a question about CISO and intrusion detection system.

As everyone related to Anti-Fraud and compliance were very much aware about the target Corp attack and it's a similar attack,my question is why CISO had not taken any precautionary steps.He should have trained his employee about malware attack.

As I think in a 360degree ,it could be CI(Competitive Intelligence) as sleepers/moles.

Krishna Prasad Prabhakaran .CFE

UAE
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
9/3/2014 | 8:36:11 AM
Re: Brand reputation
Simply having a CISO or an IDS solution in place does not necessarily provide invulnerability to an organization. Imagine a car with a sophisticated alarm system with an active monitor - how easy would it be to steal that car if it was unlocked and the keys were in it? In reality, no organization is invulnerable; it can only mitigate risks to the best of its ability and according to its own risk analysis. It really boils down to the culture of the organization. If it does not see security as a critical goal, then its likelihood for compromise increases.
Krishnaprasad Prabhakaran CFE
50%
50%
Krishnaprasad Prabhakaran CFE,
User Rank: Apprentice
9/2/2014 | 6:17:59 PM
Re: Brand reputation
Dear All,

My question to you all,whether these retailers have CISO on place where they do IDS(Intrusion Detection system),penetration testing.If they did so,how a botnet can enter their server and POS gets compromised.Though they have their security officer in place then why he was not alert even after BLACKPOS attack and TargetCorp instance.I even doubt that these retailers follow PCI standards.

 

Krishna Prasad Prabhakaran .CFE

UAE
DarkReadingTim
50%
50%
DarkReadingTim,
User Rank: Strategist
8/29/2014 | 10:15:13 AM
Re: Brand reputation
It seems to me that we need to do more to address the fundamental flaws in the way PoS systems are deployed and maintained. Most retail stores are using very old PoS technology, and they are often deployed on a store-by-store basis. The way they are used by staff can be very inconsistent, and most brick-and-mortar store managers don't understand the ways that the systems can be attacked.

More needs to be done to keep PoS systems consistent and up to date at all locations, and to ensure that the devices aren't exposed to potential threats by untrained staff.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
8/28/2014 | 8:19:23 PM
Re: Brand reputation
I'm not sure that regulatory agencies are the solution. In the case of a breach that exposes card data, industry bodies such as the PCI Standards Council are effective in levying fines and penalties, plus the brand itself suffers due to a lack of confidence by the spending public. This lack of confidence, although difficult to measure and predict, can almost certainly be attributed as a factor in the diminished bottom line of any company that has suffered such a breach. In effect, the matter is almost Darwinian.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
8/28/2014 | 3:09:00 PM
Re: Brand reputation
I agree with you 100%. Unfortunately, I think that the use regulating bodies is needed in most cases to get corporations to jump on the security train. It seems that fines/repercussions are one of the largest drivers for implementation of security measures. Its unfortunate but thats what I have noticed throughtout the years. Many corporations try to provide the minimum just to attain compliance. 

Who would be, if any, the regulatory agency for retailers? I know the healthcare industry has OCR following HIPAA standards and the financial industry has FINRA.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
8/28/2014 | 1:17:58 PM
Re: Brand reputation
If the brand were to require security standards (which I support, by the way), then a franchisee should provide evidence of security compliance to corporate standards. In a small operation such as a fast food restaurant, this incurs additional operating expense in the form of external security auditing. I'm not sure a small franchise operation can absorb that cost. Since the brand itself would ultimately suffer as well from a franchisee breach, it seems to me that the corporate office should shoulder at least a large part of that cost. It wouldn't be difficult for the corporation to contract with an auditing firm to perform periodic audits of the individual franchises. This would serve to reduce those individual audit costs, as well as provide a means for compliance reporting that rolls up to the corporation. Frankly, I think this will eventually become standard in a franchise operation.
aws0513
50%
50%
aws0513,
User Rank: Moderator
8/28/2014 | 11:03:40 AM
Re: Brand reputation
I agree Marilyn.

As the commentary in the article mentions, it is hubris.
Image supersedes substance. 
Presentation supersedes ethics or integrity of character.

Like so many other human ventures... the minimum amount of effort for the greatest gain, but with a catch in that the minimum is often well below what should be in order to increase the gain.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
8/28/2014 | 9:31:30 AM
Re: Brand reputation
A franchisee has to adhere to corporate standards for sales, pricing, marketing, what uniforms employees where to work. It's ludicrous that the same rigor would not be applied to security breaches. 
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5485
Published: 2014-09-30
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVE-2012-5486
Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

CVE-2012-5487
Published: 2014-09-30
The sandbox whitelisting function (allowmodule.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain privileges to bypass the Python sandbox restriction and execute arbitrary Python code via vectors related to importing.

CVE-2012-5488
Published: 2014-09-30
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to createObject.

CVE-2012-5489
Published: 2014-09-30
The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
In our next Dark Reading Radio broadcast, we’ll take a close look at some of the latest research and practices in application security.