Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

12/22/2016
02:30 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

More Than 50% Of Biggest Holiday Retailers May Not Be PCI-Compliant

SecurityScorecard warns while the industry has made progress, many are still not covering the basics of security.

Retailers are having a solid 2016 holiday shopping season, and no major data breaches have been reported.

But not so fast: New research by SecurityScorecard indicates that retailers are not nearly out of the woods yet. Just because no serious breaches have been reported doesn’t mean that we all may not collectively wake up with a security hangover early next year.

A first-ever study of the 48 biggest holiday retailers from April 1 through Oct. 31, 2016, reports some unsettling data:

  • 100% of the biggest holiday retailers were found to have multiple issues with domain security.
  • Nearly 80% may not be using intrusion detection or prevention systems to monitor all traffic within the cardholder data environment.
  • All bottom-performing holiday retailers have a D or lower in Network Security, which suggests that their network may have an unaccounted access point ready to be exploited.
  • 62% of the biggest holiday retailers were using end-of-life products in the last month of the study.
  • 83% of the biggest holiday retailers had unpatched vulnerabilities in October 2016.

Sam Kassoumeh, co-founder and COO of SecurityScorecard, says patch management and replacing end-of-life products are the cornerstones of a sound security program and he’s very concerned that so many retailers are still not covering the basics.

“What happens is that companies do what they are mandated to do by PCI, for example, segmenting out credit card transaction data,” Kassoumeh explains. “But what I worry about as a consumer is if the hacker gets my billing address, purchasing transaction history or secret question, much of that information is used persistently on multiple sites.”

Kassoumeh says malicious threat actors can in turn use that PII data to sign on to another web site the victim is registered on and pretend they are that person, in effect taking over that account. Or, they can collect as much PII as possible and sell it on the dark Web or collect enough information to come back and blackmail the victim.

“The threat actors really have many options, we don’t ever really know how they are going to use the data,” he says.

SecurityScorecard runs a security ratings service that collects data available on the public Internet, identifies the specific organization the data belongs to, for example, companies where they find leaked credentials, exposed databases, or lack of firewalls, and then compare that company’s performance to the rest of the industry. They then assign a scored of A, B, C, D, or F.

Another disturbing finding from the report on the biggest holiday retailers was that the group spent more than three months during the study period with a C or lower rating in the following categories: network security, DNS health, IP reputation, and patching cadence.

Here’s a breakdown:

  • Network Security: 69% had multiple entry points for hackers.
  • DNS Health: 73% had misconfigured website domains.
  • IP Reputation: 43% were infected with malware.
  • Patching Cadence: 37% had unpatched vulnerabilities.

The SecurityScorecard report is available for download.

 

Related content:

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
12/31/2016 | 12:40:54 PM
Re: No security breach yet?
@Dr.T: Target found out pretty quickly (at least, they didn't take "a few years" to learn about their own security breach) when they were hacked.  I think major retailers are more on the ball these days -- at least when it comes to after-the-fact detection (if nothing else).
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
12/31/2016 | 12:39:17 PM
Re: compliance != secure
@Clarence: This is what I preach all the time in my own consulting, too.  Compliance, security, and data privacy are like slightly overlapping circles on a Venn diagram.  One does not equal the other; they are each merely components in the grander "data protection" scheme.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
12/31/2016 | 12:37:25 PM
Re: TJX -- have we not learned?
> Not paying with Bitcoin, Joe? :-)

The stores in my area don't take them.  ;)
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
12/31/2016 | 12:34:38 PM
Re: TJX -- have we not learned?
With or without regulation, security measures will happen if there is a notable direct benefit or detriment involved to the company or the customer.

When it comes to consumer IoT, however, the detriment to consumers of compromised devices is minimal if not outright nil because their devices will still fundamentally work.  (The fridge will still be a fridge -- even while it acts as a botnet zombie to take down a web service.)
sussanbetcher
50%
50%
sussanbetcher,
User Rank: Apprentice
12/30/2016 | 4:35:37 AM
true
private louvre tour

That sounds very relevant. Thanks for sharing the news about retailers. Its true that, because no serious breaches have been reported it doesn't mean that we all may not collectively wake up with a security hangover.
Dr.T
0%
100%
Dr.T,
User Rank: Ninja
12/26/2016 | 8:34:37 PM
PCI
Better to outsource this responsibility to a third-party, very expensive to secure and insure. 
Dr.T
0%
100%
Dr.T,
User Rank: Ninja
12/26/2016 | 8:33:34 PM
Re: compliance != secure
"When you use your credit card you are simply a wildebeest on the plains."

It makes sense but you can secure it, as Apple Pay does not share any personal info with the merchant it may be better than a credit card processing.
Dr.T
0%
100%
Dr.T,
User Rank: Ninja
12/26/2016 | 8:31:20 PM
Re: TJX -- have we not learned?
"Sometimes it feels like we have to have more than regulatory and legal shackles to force security to happen."

That is an important point, security is expensive, without regulation it is not happening, especially in IoT.
Dr.T
0%
100%
Dr.T,
User Rank: Ninja
12/26/2016 | 8:29:59 PM
Re: scalp psoriasis
I agree, quite informative article and covers very important subject.
Dr.T
0%
100%
Dr.T,
User Rank: Ninja
12/26/2016 | 8:29:01 PM
Re: compliance != secure
"Good enough to pass the audit is good enough."

This is actually a good point. For me passing audit should be resulting into a good level of security measures in the environment.   
Page 1 / 2   >   >>
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...