US retailer Staples investigates possible data breach

US retailer Staples confirms it is investigating a possible credit and debit card breach

US retailer Staples has confirmed it is investigating a possible credit and debit card data breach. 

According to security journalist Brian Krebs, who first reported the possible breach, fraud patterns observed by several banks suggest some Staples shops in the Northeast have been breached.

These include seven Staples outlets in Pennsylvania, at least three in New York City, and another in New Jersey.

The retailer said in a statement: “Staples is in the process of investigating a potential issue involving credit card data and has contacted law enforcement.

“If Staples discovers an issue, it is important to note that customers are not responsible for any fraudulent activity on their credit cards that is reported on a timely basis.”

According to the Payment Card Industry Security Standards Council, cyber attacks on retailers have intensified as cyber criminals seek to capitalise on less secure payment cards that use a magnetic strip.

US card issuers are due to move to more secure payment cards with chips, based on the EMV standard, in 2015. However, last week president Barack Obama signed an executive order to speed up the move.

READ MORE ABOUT BREACHES AT US RETAILERS

  • US supermarket retail chain Supervalu reports cyber breach
  • Continuous monitoring key to retail cyber security, says Ponemon
  • Home Depot confirms 56 million payment cards affected by cyber breach
  • Sears confirms data breach investigation amid retailer data breaches
  • Target CEO quits after data breach
  • Target cyber attack not isolated, warns FBI
  • Neiman Marcus warns that data breach may affect customers

Card data hackers hit US retailers

In recent months, hackers have targeted a string of US retailers to steal payment card data for use in committing fraud.

Major US retailers such as Target, Home Depot, Supervalu, Neiman Marcus and others have been hit by payment card data breaches, affecting millions of customers.

Obama hoped to accelerate adoption of the EMV standard, signing an executive order on 17 October 2014 that directs the federal government to lead by example in securing transactions and data. 

The adoption of the EMV standard will help reduce widespread fraud in the US through payment card cloning, as it has done in Europe.

Like many data breaches of this sort, it could easily have been prevented, said Mark Bower, vice-president of product management at Voltage Security.

Point of sale malware

He speculated the attack on Staples is another case of point of sale (POS) malware pushed down to a few stores during a software update.

“This seems a possible common thread among recent breaches, enabling attackers to propagate malware to many endpoints,” said Bower.

“If this is the case, the only realistic way merchants can foil malware from stealing the magnetic stripe data is to avoid live card data arriving into the POS.”

For magnetic cards, and even EMV cards, this entails encrypting upstream of the POS, using contemporary one-way encryption in a logically and physically secured card reader all the way to the payment processing host, beyond the retail store network.

“This makes a POS malware attack far more difficult than exploiting a networked POS running a standard operating system such as Windows,” said Bower.

Measures to defend card data

He also advised merchants avoid card entry such as manual keying, swipe or EMV chip read directly into retail systems in stores.

Such entry points need to be replaced with secure readers for card data capture, so retailers should only use secured data processes through retail IT to the host.

Once the card data is secured up to the host, previously stored credit card numbers can be replaced by surrogate tokens of no attack value.

“Many merchants deploy tokenisation today. However, without securing the initial card read where the most valuable data is exposed, such as highly attractive track data, there's an exploitable gap with numerous malware variants designed specifically for it,” said Bower.

If malware gets into the POS and steals track or card data directly in memory, nothing can be done in the POS to mitigate the attack, he said.

“Tokenisation of card data directly in the POS – which is sometimes suggested as a defence – would not achieve anything; and worse, it could possibly expose an open tokenisation interface itself to the attacker, which could lead to higher levels of compromise,” said Bower.

POS malware and encryption

The current crop of malware in the POS, such as BlackPOS, instantly steals track data as it arrives in the memory.

“Once grabbed, its game-over as the data makes its way out to the malware controllers. Tokenisation is only useful when combined with encryption in specially designed card-reading equipment for secure end-to-end data capture to eliminate live data in vulnerable systems,” said Bower.

He believes that, in all likelihood, it will be revealed that the breach at Staples could have been avoided through contemporary encryption measures.

“Other large retailers who have suffered major breaches have already shifted gear to adopt such methods, based on years of success with their early-adopter peers who have not had a single incident since deployment,” said Bower.

Read more on Hackers and cybercrime prevention