Retail security is under the microscope this week, thanks to data breaches at United Parcel Service franchises (and possibly Dairy Queen franchises), government warnings about the Backoff point-of-sale malware, and new research that shows persistent vulnerabilities in retail applications.
Retail's data security problem is attributed to (among other things) lack of investment in secure application development, disputes with the financial services industry over who's to blame, disputes between brands and franchise stores, and lack of oversight by those who develop and deploy retail applications.
The National Retail Federation advocates better data security for retailers, but it puts most of the blame on the financial services industry. In "Four Big Lies About Data Security," the NRF points out that banks continue to use outdated magnetic strip technology and require retailers to retain too much data.
Today, US-CERT again updated its advisory about Backoff, the point-of-sale malware responsible for the breaches at UPS franchise stores. The Secret Service estimates that 1,000 businesses have been affected by Backoff, and seven PoS providers/vendors confirmed that their clients have been affected.
There are also rumors that Dairy Queen has been breached, as reported by Brian Krebs of KrebsOnSecurity. He said he had not been able to find evidence of such an event, but he has since been contacted by a credit union's fraud detection department that had been receiving reports of fraud deriving from cards recently used at Dairy Queen locations in multiple states. A representative of the brand did not confirm such an incident. According to Krebs:
Dairy Queen says it has no indication of a card breach at any of its thousands of locations, but the company also acknowledges that nearly all stores are franchises and that there is no established company process or requirement that franchisees communicate security issues or card breaches to Dairy Queen headquarters.
This is reminicscent of the recent breach at UPS, which said in a press release, "Each franchised center location is individually owned and runs independent private networks that are not connected to other franchised center locations."
Independent networks could arguably contain the problem, and the blame could be laid on individual stores, not the brand itself. Yet that might not matter to customers.
"The franchisor's brand could be destroyed easily without better controls in place for franchisees," says Mike Davis, CTO of CounterTack. "The fact that franchisees are not required to tell the franchisor about security breaches illustrates how breach notification processes are weak not just in retail but in most industries... Franchisors should start requiring security controls of their franchisees above those required by PCI and third parties the franchisee may work with."
Courts might not distinguish between brands and their franchise stores, either. Trey Ford, global security strategist at Rapid 7, says the Federal Trade Commission won't let the brand pass the buck so easily.
"Although reports have indicated that DQ-branded franchises may not be required to report breaches to Dairy Queen headquarters," says Ford. "This still may create liability for Dairy Queen. The FTC filed a complaint in a similar situation with Wyndham. The consumer relationship is with the brand, not the franchise."
There are reasons for brands to care about their franchise stores' security, and they may also be in a better position to manage or lead security efforts.
"Franchise owners and operators will have a harder time [than brands] locating malicious software," says Ford. Those franchise stores "equipped to detect, contain, and eradicate miscreants from their systems are the exception, not the rule.... If your business is contacted as a 'common point of purchase' for credit card fraud, that is generally a high confidence indication you have a problem."
Yet with retailers blaming financial services, blaming franchisees, and blaming third-party service providers (and vice versa and vice versa and vice versa), there is perhaps an overriding problem of nobody taking enough responsibility for data security.
That also extends to the developers of retail and PoS software -- both custom-built and off-the-shelf.
According to research released today by CAST Software (registration required), 70% of retail applications are still vulnerable to data input validation attacks like SQL injection (yes, still) and Heartbleed compromises. Retail fared worse than any other industry. Financial services (69%) was a very close second. This is particularly concerning, since input validation attacks were used in 80% of the application attacks in retail, including the one at eBay, according to Verizon's latest Data Breach Investigations Report.
When explaining the problem, CAST executive vice president Lev Lesokhin repeated the Code of Hammurabi passage that Dan Geer referenced in his keynote at Black Hat USA. The code, written 3,700 years ago, stated, "If a builder builds a house for someone, and does not construct it properly, and the house which he built falls in and kills its owner, then the builder shall be put to death."
"Ownership of construction and the oversight of construction are still very poor," says Lesokhin. "It is a management issue within IT."
CAST works mainly with enterprise IT departments writing custom software, but Lesokhin expects that this is also a problem in bigger application development houses, which suffer from a certain "hubris" that could perpetuate the problem.
He says he hasn't seen secure coding frameworks catch on much, but "basic hygiene" would solve many of the issues found in these applications. Further, they found that, even though there is certainly a difference between software quality and software security, there is a strong correlation between the two. Cleaner code tends to lead to more secure code.
Why are the software vulnerabilities worse in retail and financial services? The pressure to get applications to market quickly is especially difficult in financial services, Lesokhin says, but in retail, companies may tend to spend less on software development oversight.
Will this improve? Lesokhin wonders whether the perpetual announcement of breaches and software holes has brought companies to the conclusion that it will never get better, and perhaps it isn't even worth trying to make it better. "I think the question is to what extent is it becoming a learned helplessness?"