Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Database Security

06:20 PM
Connect Directly

Backoff, Dairy Queen, UPS & Retail's Growing PoS Security Problem

Retail brands are trying to pass the buck for data security to banks and franchisees, say some experts.

Retail security is under the microscope this week, thanks to data breaches at United Parcel Service franchises (and possibly Dairy Queen franchises), government warnings about the Backoff point-of-sale malware, and new research that shows persistent vulnerabilities in retail applications.

Retail's data security problem is attributed to (among other things) lack of investment in secure application development, disputes with the financial services industry over who's to blame, disputes between brands and franchise stores, and lack of oversight by those who develop and deploy retail applications.

The National Retail Federation advocates better data security for retailers, but it puts most of the blame on the financial services industry. In "Four Big Lies About Data Security," the NRF points out that banks continue to use outdated magnetic strip technology and require retailers to retain too much data.

Today, US-CERT again updated its advisory about Backoff, the point-of-sale malware responsible for the breaches at UPS franchise stores. The Secret Service estimates that 1,000 businesses have been affected by Backoff, and seven PoS providers/vendors confirmed that their clients have been affected.

There are also rumors that Dairy Queen has been breached, as reported by Brian Krebs of KrebsOnSecurity. He said he had not been able to find evidence of such an event, but he has since been contacted by a credit union's fraud detection department that had been receiving reports of fraud deriving from cards recently used at Dairy Queen locations in multiple states. A representative of the brand did not confirm such an incident. According to Krebs:

Dairy Queen says it has no indication of a card breach at any of its thousands of locations, but the company also acknowledges that nearly all stores are franchises and that there is no established company process or requirement that franchisees communicate security issues or card breaches to Dairy Queen headquarters.

This is reminicscent of the recent breach at UPS, which said in a press release, "Each franchised center location is individually owned and runs independent private networks that are not connected to other franchised center locations."

Independent networks could arguably contain the problem, and the blame could be laid on individual stores, not the brand itself. Yet that might not matter to customers.

"The franchisor's brand could be destroyed easily without better controls in place for franchisees," says Mike Davis, CTO of CounterTack. "The fact that franchisees are not required to tell the franchisor about security breaches illustrates how breach notification processes are weak not just in retail but in most industries... Franchisors should start requiring security controls of their franchisees above those required by PCI and third parties the franchisee may work with."

Courts might not distinguish between brands and their franchise stores, either. Trey Ford, global security strategist at Rapid 7, says the Federal Trade Commission won't let the brand pass the buck so easily.

"Although reports have indicated that DQ-branded franchises may not be required to report breaches to Dairy Queen headquarters," says Ford. "This still may create liability for Dairy Queen. The FTC filed a complaint in a similar situation with Wyndham. The consumer relationship is with the brand, not the franchise."

The FTC filed the complaint against the Wyndham Worldwide Corporation hotel chain -- which had 90 independently owned hotels licensed under the Wyndham name -- in June 2012 after three data breaches. The FTC alleged "that Wyndham's privacy policy misrepresented the security measures that the company and its subsidiaries took to protect consumers' personal information, and that its failure to safeguard personal information caused substantial consumer injury."

There are reasons for brands to care about their franchise stores' security, and they may also be in a better position to manage or lead security efforts.

"Franchise owners and operators will have a harder time [than brands] locating malicious software," says Ford. Those franchise stores "equipped to detect, contain, and eradicate miscreants from their systems are the exception, not the rule.... If your business is contacted as a 'common point of purchase' for credit card fraud, that is generally a high confidence indication you have a problem."

Yet with retailers blaming financial services, blaming franchisees, and blaming third-party service providers (and vice versa and vice versa and vice versa), there is perhaps an overriding problem of nobody taking enough responsibility for data security.

That also extends to the developers of retail and PoS software -- both custom-built and off-the-shelf.

According to research released today by CAST Software (registration required), 70% of retail applications are still vulnerable to data input validation attacks like SQL injection (yes, still) and Heartbleed compromises. Retail fared worse than any other industry. Financial services (69%) was a very close second. This is particularly concerning, since input validation attacks were used in 80% of the application attacks in retail, including the one at eBay, according to Verizon's latest Data Breach Investigations Report.

When explaining the problem, CAST executive vice president Lev Lesokhin repeated the Code of Hammurabi passage that Dan Geer referenced in his keynote at Black Hat USA. The code, written 3,700 years ago, stated, "If a builder builds a house for someone, and does not construct it properly, and the house which he built falls in and kills its owner, then the builder shall be put to death."

"Ownership of construction and the oversight of construction are still very poor," says Lesokhin. "It is a management issue within IT."

CAST works mainly with enterprise IT departments writing custom software, but Lesokhin expects that this is also a problem in bigger application development houses, which suffer from a certain "hubris" that could perpetuate the problem.

He says he hasn't seen secure coding frameworks catch on much, but "basic hygiene" would solve many of the issues found in these applications. Further, they found that, even though there is certainly a difference between software quality and software security, there is a strong correlation between the two. Cleaner code tends to lead to more secure code.

Why are the software vulnerabilities worse in retail and financial services? The pressure to get applications to market quickly is especially difficult in financial services, Lesokhin says, but in retail, companies may tend to spend less on software development oversight.

Will this improve? Lesokhin wonders whether the perpetual announcement of breaches and software holes has brought companies to the conclusion that it will never get better, and perhaps it isn't even worth trying to make it better. "I think the question is to what extent is it becoming a learned helplessness?"

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
User Rank: Ninja
8/28/2014 | 9:22:20 AM
Re: Brand reputation
I have seen this corporate finger pointing technique in both the private and public sectors for years.

Almost every time, the public will connect/attribute the brand to the breach problem, not the franchisee or contractor.  Occasionally, the brand can brush off the connection if the problem has particulars regarding specific employees or activities at a specific facility or area.  But when a problem is pervasive across multiple stores or facilities, the brand CANNOT avoid the attribution no matter how many statements they may make.

To me, this is a classic example of poor executive decision making where the management mindset is to divert blame away from the crystal corporate palace.

For me, I would have more confidence and respect for any organization that is willing to stand up to the problem at hand, accept blame even if it really isn't their fault, and attest to (and follow through with) broad measures focused on full and proper remediation.
User Rank: Moderator
8/28/2014 | 9:19:35 AM
Re: Brand reputation
I agree Marilyn, the corporate headquarters of these brandsmust be responsible for pushing down security guidelines or requirements to each of these franchises.  While it's easy for them to say "well, it's the fault of that particular franchise", the reality is yes, as you mentioned, it's the entire brand that will suffer the fallout when the public decides that they would not rather deal with these companies as they don't appear to value the privacy and security of their customers.  Passing the responsibility around is never going to fix the real issue, that security controls must be incorporated into these sytems.  Perhaps it will come down to legislation to protect the consumer.  While PCI attempted to do this, there is still very little backlash when these events occur.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
8/28/2014 | 7:36:36 AM
Brand reputation
It's unfathomable to me that franchisors are passing the security buck to their independent franchisees. As a consumer, when I go to a UPS store or a Dairy Queen, do I think of the retailer as a small independent business? Of course not. It's the brand reputation that is at risk in the case of a security breach. Unbelievable!
<<   <   Page 2 / 2
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-13
Buffer overflow in a subsystem for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow a privileged user to potentially enable denial of service via local access.
PUBLISHED: 2020-08-13
Uninitialized pointer in BIOS firmware for Intel(R) Server Board Families S2600CW, S2600KP, S2600TP, and S2600WT may allow a privileged user to potentially enable escalation of privilege via local access.
PUBLISHED: 2020-08-13
Improper initialization in BIOS firmware for Intel(R) Server Board Families S2600ST, S2600BP and S2600WF may allow a privileged user to potentially enable escalation of privilege via local access.
PUBLISHED: 2020-08-13
Unprotected Storage of Credentials vulnerability in McAfee Data Loss Prevention (DLP) for Mac prior to 11.5.2 allows local users to gain access to the RiskDB username and password via unprotected log files containing plain text credentials.
PUBLISHED: 2020-08-13
Out-of-bounds write in Kernel Mode Driver for some Intel(R) Graphics Drivers before version may allow an authenticated user to potentially enable denial of service via local access.