International office supply chain store Staples is likely the latest retailer to have suffered a credit card breach.
“Multiple banks say they have identified a pattern of credit and debit card fraud suggesting that several Staples Inc. office supply locations in the Northeastern United States are currently dealing with a data breach. Staples says it is investigating ‘a potential issue’ and has contacted law enforcement,” Brian Krebs reported on Monday.
Indications that cash registers at several Staples stores in Pennsylvania, New York and New Jersey have been compromised with card-stealing malware came in the form of fraudulent charges – the attackers apparently used the stolen information to clone payment cards and used them at other retailers and supermarkets.
Staples, Inc. has over 2,000 stores in 26 countries worldwide. Around 1,800 of them are located in the US.
“Perhaps this is another situation where POS (aka cash register, checkout, refund station, till etc.) malware has been pushed down to a few stores during a POS patch to add new features, or software upgrade cycle, resulting in compromise. This seems to be a possible common thread among recent breaches, enabling attackers to propagate malware to many endpoints, though of course this is speculative based on limited data on this particular scenario,” Mark Bower, VP Product Management at Voltage Security, commented for Help Net Security.
“However, the only realistic way merchants can foil malware from stealing the mag stripe data is to avoid live card data arriving into the POS, period. For mag cards, and even EMV cards, this entails encrypting up-stream of the POS using contemporary one-way encryption in a logically and physically secured card reader all the way to the payment processing host, beyond the retail store network. This makes a POS malware attack far more difficult than exploiting a networked POS running a standard OS like Windows. The merchant must totally avoid any card entry such as manual keying, swipe, or EMV chip read directly into retail systems in stores. Such entry points need to be replaced with secure readers for card data capture so only secured data processes through retail IT to the host.”
“Once the card data is secured up to the host, previously stored credit card numbers can be replaced by surrogate tokens which have no attack value. Many merchants deploy tokenization today. However, without securing the initial card read where the most valuable data is exposed, such as highly attractive track data, there’s an exploitable gap with numerous malware variants designed specifically for it.”
“If malware gets into the POS and steals track or card data directly in memory, then nothing can be done in the POS to mitigate. Tokenization of card data directly in the POS, which is sometimes suggested as a defense, would not achieve anything and worse, possibly expose an open tokenization interface itself to the attacker which could lead to higher levels of compromise. The current crop of Malware in the POS, like BlackPOS, steals track data as it arrives into memory instantly. Once grabbed, its game over as the data makes its way out to the malware controllers. Tokenization is only useful when combined with encryption in specially designed card reading equipment for secure end-to-end data capture to eliminate live data in vulnerable systems,” he added.
“It will be interesting to see how this breach unfolds. In all probability, I would hazard a guess it was quite avoidable through contemporary encryption measures. Other large retailers who have suffered major breaches have already shifted gears to adopt such methods, based on years of success with their early-adopter peers who’ve not had a single incident since deployment.”