What Should Retailers Do in the Wake of the Kmart POS Breach?
Kmart recently announced that all 1,200 of its U.S. locations were affected by the latest in a relentless series of POS system breaches.
A statement from Kmart president and CMO Alasdair James revealed that the retailer’s systems were attacked by “a new form of malware that was undetectable by current anti-virus systems” over a period of time from September to October, 2014. The breach was finally detected by Kmart’s IT team on Oct. 9.
Data stolen from physical store locations included customer payment card numbers. Fortunately, online customers appear to be in the clear. In an online FAQ, Kmart stated that the malware has been removed, and that as far as their investigation can tell, personal information, email addresses, debit card PINs and Social Security numbers were not exposed to hackers. Only the number encoded on credit card mag strips was taken.
“Given the criminal nature of this attack,” James added, “Kmart is working closely with federal law enforcement authorities, our banking partners as well as security experts in this ongoing investigation.”
Kmart is only the latest in a seemingly unending chain of POS breaches which have affected major retailers like Dairy Queen, Jimmy John’s, Home Depot, Supervalu and Target. The situation has become severe enough for the U.S. Department of Homeland Security to issue a warning about Backoff POS malware, which may be responsible for breaches in as many as 1,000 U.S. businesses.
The breaches seem to have multiple causes. A few of the hackers got in through a security loophole in an outdated version of the Windows XP operating system, and others gained access through remote desktop applications. Overly simple or default passwords have also been a concern, since many versions of the malware just generate passwords until a system allows them access.
“The recent surge of compromised POS systems is definitely troubling. Businesses must do three things to keep consumer data safe. First, run a modern, secure operating system such as Mac OS X along with a modern POS software such as POSLavu or LightSpeed. Second, follow all PCI compliance rules including secure passwords, restricted remote access, and two-factor authentication. Third, use modern credit card processing hardware that supports Apple Pay, NFC, and Chip/Pin. Contact a POS specialist such as Digital Reality for help with these topics,” says Eric Catania, CEO, Digital Reality.
Many security experts are clamoring for the adoption of chip-and-pin cards, which rely on randomly generated, one-time-use codes instead of mag strips. Others are pointing to digital wallets like Google Pay and Softcard as the best way for consumers to protect their money. Intel is also upgrading several of its processors for POS systems to add layers of security to customer transactions.
Until these measures are available, retailers are advised by the DHS to “[contact] your IT team, antivirus vendor, management service provider, and/or point of sale system vendor to assess whether your assets may be vulnerable and/or compromised.”