5 ways your store could be hacked

5 ways your store could be hacked

2014 will be "the year of retail breaches," predicts TrustedSec, an information security company. With Target still reeling from its big holiday-season data breach and Neiman Marcus, Michaels and White Lodging announcing early this year that they, too, were compromised, that trend, if it is a trend, seems to have some fuel.

While some thieves may concentrate their efforts on the big payoffs -- accessing the credit card and personal data from big chain retailers that have millions of customers -- smaller merchants are sure to be targets of hackers as well.

Here's a rundown on the methods that thieves use to access retailers' payment systems and steal important customer and credit card data -- and how you can stop them.

1. Malware

Target, Neiman Marcus and White Lodging (which manages the 14 Marriott-branded hotels that got hacked) have admitted that the source is malware. Hackers can use malware to steal data because customer information is temporarily stored in the RAM (random access memory) of these terminals, but is not yet encrypted at that point in the transaction.

Malware can be inserted internally by an employee or via a breach of a retailer's payment system by an external source. In either case, it's likely that other hackers will try to replicate the theft -- and that could leave your own POS system vulnerable.

Defense strategies: The United States Computer Emergency Readiness Team (US-CERT) suggests following these best practices to protect your POS system: use strong passwords; update POS software applications; install a firewall; use antivirus programs; restrict access to the Internet from your POS network (use it only for POS-related activities); and disallow remote access to the network.

2. Skimming and other physical attacks made through (POS) terminals

Thieves may install card readers, switch out cabling or add keyloggers to allow them to skim (capture) card data as cashiers process transactions. Nordstrom recently discovered skimmers on several registers in one of its Florida stores.

The hardware used in skimming is often small and camouflaged to look like part of the normal computer setup. The skimmers in the Nordstrom case, for example, were inch-long connectors that fit between the usual POS-keyboard-to-computer connectors. They were even colored purple to match the typical connector color for keyboards, making them difficult to detect.

Defense strategies: Prevent people from getting access to your physical credit card payment devices by locking those devices down or alarming them so you'll know if anyone is trying to tamper with them.  Keep a security camera pointed at the terminal so that you can spot any unusual activity around the terminal or review the feed if you do discover a problem.

3. Gaining access through unsecured networks to intercept transaction information

Too many retailers never bother to change the default password on their payment systems network. Others may use the same wireless network they provide for customers' free Wi-Fi to process their credit card transactions, making it easier for hackers to get in. 

Defense strategies: If you haven't changed the password that came with your system, do it today. According to the United States Computer Emergency Readiness Team, the best ones are composed of numbers, special characters and upper- and lower-case letters. They should not include personal data, such as birthdates or names that thieves (including unscrupulous employees) might be able to guess.

If you provide your guests with free Internet access, set up two networks: one for the customer Wi-Fi and one for payments. Work with professional computer security firms if you aren't sure that you've secured your networks properly.

4. Internal theft

Your employees can use their cellphones or hand-held skimmers to capture credit card data. They may also be able to get into back-office servers and steal data stored on them. Employees of IT vendors who service your POS and computer systems also have easy access to this data.

Defense strategies: Educate all employees about skimmers and similar devices used for theft and tell them it's their responsibility to report suspicious actions taken by anyone, including their coworkers and vendors.

Set up your computer systems so that you receive an alert if a new account is created without your permission, or if someone makes repeated unsuccessful attempts to log in to the system. Again, hire an IT security firm to assist if you can't do this on your own.

5. Feed horn scams

While this doesn't involve hackers accessing customer data, the FBI has recently reported that this low-tech credit card scam is costing merchants money.

Criminals are using everyday aluminum foil to disrupt credit card transactions. The thieves wrap the foil around the feed horn, the part of a satellite that transmits transaction information to the credit card processor. Blocking the signal from the feed horn makes it impossible for merchants to get validation of a credit card used in a transaction.

When the thieves make a purchase (usually of high-priced, easily resalable items like cigarettes and electronics) with a stolen card, the store gets the message that the credit card system is down. Most of the time, they go ahead and accept the payment anyway, assuming that the card will be validated once the system is back up. It's only when a retailer thinks to check why the system has been down so long that they find the foil-wrapped feed horn -- and discover that the credit card is no good.

The FBI says that merchants in Indiana, Kentucky, Ohio, Pennsylvania and West Virginia have been targeted so far, but they expect this scam to spread because it is relatively easy for thieves to pull off.

Defense strategies: If your credit card system appears to be down, check to make sure that it's really offline and that nothing physical is blocking the satellite feed. 

See related: How to prevent and detect employee data theft, Expert Q&A: A PCI primer for brick-and-mortar merchants

Published: February 11,2023