Author: Tracie Berardi

The retail security crisis continues…

A recent Wall Street Journal article exposed potential issues with Bitcoin’s transaction network. This left Tokyo-based Mt. Gox exchange and Gavin Andresen, Chief Scientist at the Bitcoin Foundation, pointing fingers at each other.

So far the retail industry has felt the pain of sophisticated hackers stealing sensitive information:

• Target Corp. – The latest news suggests that the breach started with a malware-laced email phishing attack sent to employees at an HVAC firm that did business with the nationwide retailer
• Nieman Marcus – 1.1 million debit and credit cards used at its stores may have been compromised
• Michaels – investigating a possible security breach on its payment card network

According to a Business Insider article, smaller breaches on at least three other well-known U.S. retailers also took place during the U.S. holiday shopping season last year and were conducted using similar techniques as the one on Target. Those breaches have yet to come to light in the mainstream media.

Memory-scraping software, a danger exposed as early as five years ago, is becoming a common tool for these breaches. When a customer swipes a payment card at the checkout, the POS grabs data from the magnetic strip and transfers it to the retailer’s payment processing provider. While the data is encrypted during the process (as required by PII regulation), scrapers harvest the information from the POS RAM, where it briefly appears in plain text. In some cases, the encrypted data along with its keys are stolen and then decrypted outside the victim’s infrastructure. Cyber criminals have been adding features to make it more difficult for victims to detect the malicious software on their networks.

Thoroughly testing the quality of software has long been known to be an imperfect practice. We make up representative test cases and create fake data to ensure the release of software on time. Or, we outsource this development to organizations where our application becomes one of others in focus. But the long tail of problems is becoming so prevalent now that it is time to leverage up-to-date technology and automation to dramatically increase the scope of our testing.

We also need to extend the notion of software quality beyond a particular application or process. As soon as that application or process has to share information with an outside process or system, a window is exposed for an attack. The measurement of quality must extend to the very system or business process within which it runs. For example, efforts need to be stepped up to ensure the right patches and guards are deployed frequently. Traffic channels must be monitored at high speed. Hardware issues must be corrected. And all of this must happen not just at the server level but at any and all connected endpoints. The Internet of Things, a phenomenon whereby “things” as diverse as smartphones, cars and household appliances are all online and connected to the internet, is becoming a reminder that the entry point for an attack can come from almost any device.

In order to ensure the quality and stability of software, we must learn to think and act like hackers. We must extend the monitoring and measurement of software quality to include the processes and systems within which software plays a role. We must harness the capabilities of available technology and automation to ensure deeper testing coverage. All of this is necessary to reduce the cost and risk associated with the types of breaches we are now starting to see. The integrity of the software application depends on it.