A recent data breach at retail chain Target has exposed as many as 40 million customer credit cards, sparking widespread speculation about the source and potential impact of the attack. With increased scrutiny on the retail sector arising as a result, the software security of point-of-sale systems is once again in question, this breach marking latest incident in an ongoing series of concerns. For developers, the lesson from the breach is clear: Avoiding vulnerabilities in software is essential for protecting consumer and business interests.
The breach at Target raises many questions, particularly as details about the specifics of the attack remain vague. However, the POS system appears to be one likely avenue of attack, according to experts. Chris Strand, director of compliance at Bit9, told Dark Reading that such attacks will be increasingly common as attackers seek out new opportunities in the face of strengthened perimeter and database security.
"This is a common type of attack that we're going to see more and more prevalent because the attackers will take the path of least resistance and in this case, they're realizing that these POS systems are not protected from a vulnerability perspective," he explained. "The fact is that the current security mechanisms they're using to guard the internals of these POS systems is vastly inadequate to protect the inner systems and software running on these things."
Another issue raised by the attack is the question of compliance with not only payment card information data security standards, but also compliance with the payment application data security standard, SecureState CEO Ken Stasiak told Dark Reading. Developers have a responsibility to make sure their applications meet coding compliance standards – the consequences otherwise could be an attack that costs millions of dollars to the company. Target is already facing at least 15 lawsuits as a result of the breach, Reuters reported.
Strengthening POS security
Whether the Target breach can be specifically tied to application vulnerabilities or not, POS software security has become a growing point of emphasis for developers in recent years. A malware known as Dexter has infected POS systems across a wide variety of industries in recent years, and, among other incidents, more than 100 Subway restaurants had credit card information stolen by Romanian hackers from 2008 to 2011.
In 2012, a pair of security researchers presented findings at Black Hat USA that showed a wide range of software security vulnerabilities in POS terminals, including errors that would allow remote attackers to take over functions such as the display, the card reader or the PIN inputting pad with maliciously crafted chip-and-pin cards. Whether the Target breach can be tied to specific POS and payment application vulnerabilities or not, the incident is a firm reminder that retailers – and the credit card information they handle – are in hackers' crosshairs. With tools such as static analysis software, developers working on POS and payment application systems can strengthen software security during the development process and ensure they are in line with compliance standards through automated checks.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.