Despite Prominent Retail Breaches, POS System Attacks Decline, Report Finds


Retail giant Target is still reeling from its massive credit card breach, and Michaels Stores is the latest merchant to announce a heist impacting millions of its customers. A new analysis, however, is tracking a declining trend in attacks against Point-of-Sale systems.  

The 2014 Verizon Data Breach Investigations Report, which analyzed more than 1,300 confirmed data breaches and tens of thousands of security incidents, found POS system breaches trending downward since 2011. Attacks are still frequent, however, and dominate the Verizon report statistics, making up 31 percent of data breaches analyzed by the company over the last three years.

Verizon said its data contained 198 confirmed data breaches in 2013 at businesses in the retail, accommodation and food industries. Fewer large-scale attacks are being carried out against small businesses, Verizon said. Larger retailers are reporting attacks, including Nordstrom, which said it discovered skimmers on some of its cash registers in October and Target, which reportedly failed to investigate security alerts, prompting a breach in December that impacted 70 million of its customers.

[Related: Verizon Breach Report: Attackers Take Only Seconds To Capitalize On A Basic Security Mistake]

Attackers increasingly are turning to web application attacks to steal credit card data accepted by merchants on the Internet, said Christopher Porter, a managing principal at Verizon. They are targeting vulnerabilities in web applications. SQL injection, a longstanding and frequent problem in applications, was exploited in 80 percent of attacks against web applications in the retail industry in 2013.

Organized cybercriminals believed to be located in Eastern Europe and Russia, also are becoming more methodical in their approach against retailers, Porter said. Memory-scraping malware is being used to pilfer credit card numbers from system memory when they are not encrypted. Attackers are bypassing systems, maintaining stealthy, persistent access and uploading stolen data to remote servers in ways that avoid detection, Porter told CRN.

"I don't think this has been a case of getting lucky and managing to hit a large retailer," Porter said of the string of recent large retail breaches. ""In years past, it was all automated smash-and-grab-style attacks, and now it's turned to large-scale breaches."

Attack campaigns also are being conducted more efficiently. In more than half of the POS system data breaches analyzed by Verizon, the initial compromises took seconds. In 88 percent of them, the credit card theft took minutes, according to the data. Discovery of a compromise typically takes weeks, with 99 percent of retailers informed by law enforcement or credit card industry fraud detection systems, Porter said.

Credit card thieves continue to target smaller merchants using automated tools in broad campaigns. The wide-scale extent of the attacks and the minimal cost in carrying them out yield enough credit card data to make it a profitable business, Porter said.

"The fact is that we actually know that they are just scanning network ranges and trying to find the wide open remote desktops; they're not spending that much time trying to target organizations specifically," Porter said. 

NEXT: Solution Providers Give Retailers Guidance